Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79192

Policies handler - mod_security firewall rule 921180 by specifying sesskey parameter twice

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Minor Minor
    • None
    • 4.0.10, 4.1.5
    • Policy
    • MOODLE_400_STABLE, MOODLE_401_STABLE

      When activating or deactivating a policy via the tool_policy handler, we are seeing OWASP Core Rule Set Protocol Attack rule 921180 triggered and the page is being blocked. This is because the sesskey parameter is being passed twice in the GET request to page /admin/tool/policy/editpolicydoc.php (essentially we are witnessing parameter pollution).

      Steps to reproduce:

      1. Activate Policies (tool_policy)
      2. Add a new policy
      3. Enable policy

      Note that you don't need a firewall to confirm the parameter is being passed twice.

            Unassigned Unassigned
            ian.wild@aveva.com Ian Wild
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.