Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71377

Add a security check around the X-MOODLEUSER header

    XMLWordPrintable

    Details

      Description

      If you have configured $CFG->headerloguser then it adds a header to the response:

      https://github.com/moodle/moodle/blob/master/config-dist.php#L443-L448

      The server should be configured to append this to the access logs, but then also remove this header so it doesn't reach the outside world.

      If it does reach the outside world it is usually not a big deal, but if you have a caching layer cdn / varnish then you can leak usernames across requests which are publicly cached.

      This isn't something we can fix in code so it's not strictly a security issue. The main thing we can do is add a check to the security report which curls an endpoint and confirms this header doesn't exist. The only way to do this reliably is to make a new simple endpoint which just sets this header, attempting to test a real url like the logo is non deterministic as it depends on who previously accessed that url and if they were logged in, and how many shared cache servers you have etc.

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              brendanheywood Brendan Heywood
              Participants:
              Component watchers:
              Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: