Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-74466

Repository management leaks sesskey in get requests

XMLWordPrintable

    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-74466-401
    • MDL-74466-403
    • Easy
    • Hide
      1. Log in as admin
      2. Navigate to Plugins > Repositories > Manage repositories in site administration
      3. Press the Settings link for any repository
      4. Confirm absence of sesskey=X in page URL
      5. Confirm you can edit/save the settings for the repository
      6. Confirm the Active? and Order column links contain sesskey and function correctly
      7. Enable the File system repository
        • Enable Allow admins to add a file system repository instance to a course (configurable only by admins)
      8. Create a new directory in your $CFG->dataroot/repository folder, e.g. 

        mkdir -p /var/www/moodledata/repository/test

      9. Press Settings for that repository
      10. Press Create a repository instance
      11. Confirm absence of sesskey=X in page URL
      12. Enter a Name and choose the "test" folder, press Save
      13. Press Settings for your repository instance
      14. Confirm absence of sesskey=X in page URL
      15. Press Cancel
      16. Press Delete for your repository instance
      17. Confirm absence of sesskey=X in page URL
      18. Press Continue
      19. Confirm repository instance is deleted
      20. Create a new course
      21. Select More > Repositories
      22. Press Create "File system" instance
      23. Confirm absence of sesskey=X in page URL
      24. Enter a Name and choose the "test" folder, press Save
      25. Press Settings for your repository instance
      26. Confirm absence of sesskey=X in page URL
      27. Press Cancel
      28. Press Delete for your repository instance
      29. Confirm absence of sesskey=X in page URL
      30. Press Continue
      31. Confirm repository instance is deleted
      Show
      Log in as admin Navigate to Plugins > Repositories > Manage repositories in site administration Press the Settings link for any repository Confirm absence of sesskey=X in page URL Confirm you can edit/save the settings for the repository Confirm the Active? and Order column links contain sesskey and function correctly Enable the File system repository Enable Allow admins to add a file system repository instance to a course (configurable only by admins) Create a new directory in your $CFG->dataroot/repository folder, e.g. mkdir -p /var/www/moodledata/repository/test Press Settings for that repository Press Create a repository instance Confirm absence of sesskey=X in page URL Enter a Name and choose the "test" folder, press Save Press Settings for your repository instance Confirm absence of sesskey=X in page URL Press Cancel Press Delete for your repository instance Confirm absence of sesskey=X in page URL Press Continue Confirm repository instance is deleted Create a new course Select More > Repositories Press Create "File system" instance Confirm absence of sesskey=X in page URL Enter a Name and choose the "test" folder, press Save Press Settings for your repository instance Confirm absence of sesskey=X in page URL Press Cancel Press Delete for your repository instance Confirm absence of sesskey=X in page URL Press Continue Confirm repository instance is deleted

      That admin menu under plugins links to these pages for adding repositories using a http get

      /admin/repository.php?sesskey=qFBfbeB6jO&action=edit&repos=nextcloud

      The first page you go to does no action and does not need a sesson

        1. MDL-74466.png
          MDL-74466.png
          1.39 MB

            pholden Paul Holden
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Huong Nguyen Huong Nguyen
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 37 minutes
                2h 37m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.