I've been observing a spate of password requests being e-mailed from our Moodle installation. A preliminary investigation didn't reveal anything that appeared to be a security breach. However, I discovered a quirk in the login page that might be a security issue:
Under some conditions, on some browsers, the username field will display a username. I cannot determine at this point if it's a random username, or someone who used the browser previously. At any rate, clicking on the "Send my details via email" brings up the forgot_password.php page -- with the e-mail field populated with the user's e-mail.
This could well be the source of the large number of password requests I'm seeing.
Has anybody else observed this behavior?
--Brian
I guess the answer is here:
Moodle 1.5 ALPHA (2005043000): forgot_password.php: lines 71 - 75
if (empty($frm->email)) {
if ($username = get_moodle_cookie() ) {
$frm->email = get_field("user", "email", "username", "$username");
}
}
The condition is the cookie being previously set or not. When you log in (didn't check if it does that when somebody logs in as guest), Moodle sets a cookie in which there's a variable called "MOODLEID_(something else) ". get_moodle_cookie() returns it's value, a string containing the username who logged in, rc4decrypt()ed. This cookie doesn't go away when you log out, so when you return later to the website, your username is already filled in the log in page.
This *can* be an indirect source of insecurity, since by setting different usernames in the cookie, I can retrieve their email addresses. It's just a way of fingerprinting info. But I wouldn't worry about that. The worst thing that can happen is somebody sitting in front of my computer after I logged out, and annoy me but sending new passwords to my email account.
If you feel paranoid, just add this line to your logout.php, right before the redirect():
setCookie('MOODLEID_'.$CFG->sessioncookie, '', time() - HOURSECS, '/');
Hope it helps.