Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-74417

Links from Manage authentication to Test settings expose the sesskey in a GET url

    XMLWordPrintable

Details

    • MOODLE_311_STABLE
    • MDL-74417-manage-sesskeys
    • Easy
    • Hide
      1. Setup
        1. Login as admin
      2.  Auth
        1. Navigate to Site Administration->Plugins->Authentication/Manage authentication (admin/settings.php?section=manageauths)
        2. Hover over any 'Test settings' link and confirm you do not see a sesskey paramter in the url
        3. Click on a 'Test settings' link. 
        4. Confirm you do not see the sesskey parameter in the browser url bar.
        5. Remove ?auth=xxx from the URL and press enter to load the new page. 
        6. Select any dropdown menu item from the list of authentication methods that have tests. 
        7. Confirm you do not see the sesskey parameter in the browser url bar.
      3. Enrol
        1. Navigate to Site Administration->Plugins->Enrolments/Manage enrol plugins (admin/settings.php?section=manageenrols)
        2. Hover over any 'Test settings' link and confirm you do not see a sesskey paramter in the url 
        3. Click on a 'Test settings' link. 
        4. Confirm you do not see the sesskey parameter in the browser url bar
        5. Remove ?enrol=xxx from the URL and press enter to load the new page
        6. Select any dropdown menu item from the list of authentication methods that have tests
        7. Confirm you do not see the sesskey parameter in the browser url bar
      Show
      Setup Login as admin   Auth Navigate to Site Administration->Plugins->Authentication/Manage authentication (admin/settings.php?section=manageauths) Hover over any 'Test settings' link and confirm you do not see a sesskey paramter in the url Click on a 'Test settings' link.  Confirm you do not see the sesskey parameter in the browser url bar. Remove ?auth=xxx from the URL and press enter to load the new page.  Select any dropdown menu item from the list of authentication methods that have tests.  Confirm you do not see the sesskey parameter in the browser url bar. Enrol Navigate to Site Administration->Plugins->Enrolments/Manage enrol plugins (admin/settings.php?section=manageenrols) Hover over any 'Test settings' link and confirm you do not see a sesskey paramter in the url  Click on a 'Test settings' link.  Confirm you do not see the sesskey parameter in the browser url bar Remove ?enrol=xxx from the URL and press enter to load the new page Select any dropdown menu item from the list of authentication methods that have tests Confirm you do not see the sesskey parameter in the browser url bar

    Description

      eg:

      /auth/test_settings.php?auth=saml2&sesskey=2wFyBAgdYZ

      These should not be needed, or if they are turn them into a post.

      https://docs.moodle.org/dev/Security:Cross-site_request_forgery#Ensure_your_code_does_not_expose_the_sesskey_inadvertently

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Ilya Tregubov Ilya Tregubov
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 10 minutes
                10m