Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69532

Cache- Control Misconfiguration.

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.9.1
    • Fix Version/s: None
    • Component/s: Caching
    • Affected Branches:
      MOODLE_39_STABLE

      Description

      The cache-control header have not been set properly or are missing allowing the browser and proxies to cache content.
      1. It is the goal of properly configured caching headers to avoid having personalized information stored in proxies. The server needs to include appropriate headers to indicate if the response may be cached.
      2.According to poc attached the cache-control which we have is only cache-control:max-age=0. But i believe just this could not help in fixing vulnerabilities.
      the "no-cache" option just implies that the proxy should verify each time the page is requested if the page is still valid, but it may still store the page. so the "no-store" is the better option to add so that it prevents both request and response being stored by the cache.
      3. The "no-transform" option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks. This could break digital signatures in some cases. "no-transform" will prevent that .
      So i believe the safest control header would be:
      Cache-Control: private, no-cache, no-store, max-age=0
      4.Even using cache-control: must-revalidate , is also safer method.
      Since most of the users use moodle for local deployment they may not configure it for https and live it for http which is again a advantage for browsers to store cache
      I hope the issue report will moodle team in considiring it as improvement.
      Kindly refer the following links for more info.
      1.https://isc.sans.edu/forums/diary/The+Security+Impact+of+HTTP+Caching+Headers/17033/
      2.https://hackerone.com/reports/185833

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            akashm-25 Akash M
            Participants:
            Component watchers:
            Matteo Scaramuccia, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: