[MDL-71377] Add a security check around the X-MOODLEUSER header - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: Future Dev
Fix Version/s: None
Component/s: Administration
Labels:

Description

If you have configured $CFG->headerloguser then it adds a header to the response:

https://github.com/moodle/moodle/blob/master/config-dist.php#L443-L448

The server should be configured to append this to the access logs, but then also remove this header so it doesn't reach the outside world.

If it does reach the outside world it is usually not a big deal, but if you have a caching layer cdn / varnish then you can leak usernames across requests which are publicly cached.

This isn't something we can fix in code so it's not strictly a security issue. The main thing we can do is add a check to the security report which curls an endpoint and confirms this header doesn't exist. The only way to do this reliably is to make a new simple endpoint which just sets this header, attempting to test a real url like the logo is non deterministic as it depends on who previously accessed that url and if they were logged in, and how many shared cache servers you have etc.

Attachments

Issue Links

has a non-specific relationship to

MDL-69205 Adding a new Check - test https and directory slash redirects

Reopened

MDL-69333 Reduce ability to fingerprint a server with a htaccess-dist / nginx file / docs

Closed

has been marked as being related by

MDL-57887 Support nginx and other webservers for logging of username in access logs

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Brendan Heywood

Participants:: Brendan Heywood

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Apr/21 9:28 AM

Updated:: 20/Apr/21 10:28 AM