Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73295

sesskey is exposed in url for /user/managetoken.php

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE
    • Easy
    • Hide
      1. Throughout the test, ensure that the sesskey=... parameter is not present in the current URL
      2. Log in as admin
      3. Navigate to Advanced features in site administration
      4. Enable the following:
        • Enable web services
        • Enable RSS feeds
        • Enable web services for mobile devices (if MDL-73414 hasn't been fixed). On 3.11 'Enable web services for mobile devices' setting is at Site administration > Mobile app > Mobile settings)
      5. Save changes

      RSS Keys

      1. Navigate to Preferences from the user menu
      2. Press Security keys
      3. Make a note of your current RSS key
      4. Press Reset (and Reset in the subsequent confirmation step)
      5. Confirm RSS key was reset (it's different to previous value)

      Security Keys

      1. Create a new user
      2. Assign this user as a Manager in the system context
      3. Log out
      4. Log in as new user
      5. Navigate to Preferences from the user menu
      6. Press Security keys
      7. Make a note of your current security key
      8. Press Reset (and Reset in the subsequent confirmation step)
      9. Confirm security key was reset (it's different to previous value)
      Show
      Throughout the test, ensure that the sesskey=... parameter is not present in the current URL Log in as admin Navigate to Advanced features in site administration Enable the following: Enable web services Enable RSS feeds Enable web services for mobile devices (if MDL-73414 hasn't been fixed). On 3.11 'Enable web services for mobile devices' setting is at Site administration > Mobile app > Mobile settings) Save changes RSS Keys Navigate to Preferences from the user menu Press Security keys Make a note of your current RSS key Press Reset (and Reset in the subsequent confirmation step) Confirm RSS key was reset (it's different to previous value) Security Keys Create a new user Assign this user as a Manager in the system context Log out Log in as new user Navigate to Preferences from the user menu Press Security keys Make a note of your current security key Press Reset (and Reset in the subsequent confirmation step) Confirm security key was reset (it's different to previous value)

      The manage tokens page must have a sesskey, but this isn't an action page, ie a http post, or a get with a redirect to remove the sesskey

      /user/managetoken.php?sesskey=ml2kgScgD0

      The sesskey check should be moved down to only apply to the actions of reseting tokens instead of the whole page

            pholden Paul Holden
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Amaia Anabitarte Amaia Anabitarte
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.