Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68292

admin/modules.php exposes CSRF token (sesskey) in url

    XMLWordPrintable

    Details

      Description

      This page links to http GET pages which includes the sesskey but which do not need it, and which also do not redirect away so the sesskey persists in the browser url.

      https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

      Visit: http://moodle.local/admin/modules.php

       

      1) This first is the list of activities, here the sesskey is not needed at all:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

       

      2) The second is the uninstall confirm page:

      http://moodle.local/course/search.php?modulelist=assign&sesskey=xxxxxxxxx

      Here also the sesskey is not needed until you confirm, and then in that case it should be a http post anyway.

      3) This page also links to the same place with the same issue:

      http://moodle.local/admin/plugins.php

       

       

        Attachments

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            brendanheywood Brendan Heywood
            Peer reviewer:
            Peter Burnett Peter Burnett
            Integrator:
            Jake Dallimore Jake Dallimore
            Tester:
            Anna Carissa Sadia Anna Carissa Sadia
            Participants:
            Component watchers:
            Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              9/Nov/20

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 10 minutes
                2h 10m