Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73295

sesskey is exposed in url for /user/managetoken.php

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE
    • MDL-73295-311
    • Easy
    • Hide
      1. Throughout the test, ensure that the sesskey=... parameter is not present in the current URL
      2. Log in as admin
      3. Navigate to Advanced features in site administration
      4. Enable the following:
        • Enable web services
        • Enable RSS feeds
        • Enable web services for mobile devices (if MDL-73414 hasn't been fixed). On 3.11 'Enable web services for mobile devices' setting is at Site administration > Mobile app > Mobile settings)
      5. Save changes

      RSS Keys

      1. Navigate to Preferences from the user menu
      2. Press Security keys
      3. Make a note of your current RSS key
      4. Press Reset (and Reset in the subsequent confirmation step)
      5. Confirm RSS key was reset (it's different to previous value)

      Security Keys

      1. Create a new user
      2. Assign this user as a Manager in the system context
      3. Log out
      4. Log in as new user
      5. Navigate to Preferences from the user menu
      6. Press Security keys
      7. Make a note of your current security key
      8. Press Reset (and Reset in the subsequent confirmation step)
      9. Confirm security key was reset (it's different to previous value)
      Show
      Throughout the test, ensure that the sesskey=... parameter is not present in the current URL Log in as admin Navigate to Advanced features in site administration Enable the following: Enable web services Enable RSS feeds Enable web services for mobile devices (if MDL-73414 hasn't been fixed). On 3.11 'Enable web services for mobile devices' setting is at Site administration > Mobile app > Mobile settings) Save changes RSS Keys Navigate to Preferences from the user menu Press Security keys Make a note of your current RSS key Press Reset (and Reset in the subsequent confirmation step) Confirm RSS key was reset (it's different to previous value) Security Keys Create a new user Assign this user as a Manager in the system context Log out Log in as new user Navigate to Preferences from the user menu Press Security keys Make a note of your current security key Press Reset (and Reset in the subsequent confirmation step) Confirm security key was reset (it's different to previous value)

    Description

      The manage tokens page must have a sesskey, but this isn't an action page, ie a http post, or a get with a redirect to remove the sesskey

      /user/managetoken.php?sesskey=ml2kgScgD0

      The sesskey check should be moved down to only apply to the actions of reseting tokens instead of the whole page

      Attachments

        Issue Links

          Activity

            People

              pholden Paul Holden
              brendanheywood Brendan Heywood
              Brendan Heywood Brendan Heywood
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              Amaia Anabitarte Amaia Anabitarte
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                17/Jan/22

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h