Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47950

$duplicate action in course/mod.php does not include a sesskey check

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 2.8
    • 2.8
    • Course
    • MOODLE_28_STABLE
    • MOODLE_28_STABLE
    • Hide

      Test 1
      Run behat or ask the integrators about it's results regarding duplicated activities tests

      Test 2

      You will need a course with, at least, 1 activity

      1. Disable JS on your browser
      2. Go to that course as an admin or teacher and turn editing mode on
      3. Get the duplicate activity link (a tag wrapping duplicate icon in the source code)
      4. Copy it into another browser window and remove the sesskey param
      5. You SHOULD see a A required parameter (sesskey) was missing error
      6. The activity SHOULD NOT be duplicated
      7. Back to the main window, click on the duplicate icon
      8. The activity SHOULD be duplicated
      9. Enable again JS on your browser
      10. Refresh the course main page
      11. Click on the duplicate activity icon
      12. The activity SHOULD be duplicated
      Show
      Test 1 Run behat or ask the integrators about it's results regarding duplicated activities tests Test 2 You will need a course with, at least, 1 activity Disable JS on your browser Go to that course as an admin or teacher and turn editing mode on Get the duplicate activity link (a tag wrapping duplicate icon in the source code) Copy it into another browser window and remove the sesskey param You SHOULD see a A required parameter (sesskey) was missing error The activity SHOULD NOT be duplicated Back to the main window, click on the duplicate icon The activity SHOULD be duplicated Enable again JS on your browser Refresh the course main page Click on the duplicate activity icon The activity SHOULD be duplicated

      I guess this cannot be used for CSRF, but still deleting tons of activities created by some joker would not be very funny

        1. MDL-47950_master.patch
          2 kB

            dmonllao David Monllaó
            skodak Petr Skoda
            Marina Glancy Marina Glancy
            Dan Poltawski Dan Poltawski
            Adrian Greeve Adrian Greeve
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.