Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48020

CSRF in mod/forum/subscribe_ajax.php

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.8
    • 2.8
    • Forum
    • MOODLE_28_STABLE
    • MOODLE_28_STABLE
    • Hide
      1. Toggle subscription to discussions with JS
        • Confirm that your changes were respected and no errors thrown
      2. Try to (deliberately) remove the sesskey
        • Confirm that you get an error about missing sesskey checks
      Show
      Toggle subscription to discussions with JS Confirm that your changes were respected and no errors thrown Try to (deliberately) remove the sesskey Confirm that you get an error about missing sesskey checks

      where is sesskey check? There is no need for optional_param('sesskey')

      Also the \mod_forum\subscriptions::subscribe_user_to_discussion() should check if user is guest account.

        1. MDL-48020-master.mdk.patch
          1 kB
          Andrew Lyons

            dobedobedoh Andrew Lyons
            skodak Petr Skoda
            Frédéric Massart Frédéric Massart
            Dan Poltawski Dan Poltawski
            Simey Lameze Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.