Hello all Moodle security people. We have a new Moodle Installation 2.8.3+ that is supposed to go live early next week. When we run a scan of our Moodle installation, it's hitting a bunch of forms for:
150071 Form Can Be Manipulated with Cross-Site Request Forgery (CSRF)
So I did a bunch of research and found that SESSKEY is supposed to resolve these. I then found we had Moodle set to use the database for sessioning. When I disabled that, it started adding SESSKEY to some of the URLs. However, we are still getting issues with CSRF being flagged on a few forms. These are the pages that are getting flagged by the scan.
/report/stats/user.php?id=12&course=22
/course/index.php?categoryid=1
/user/index.php?contextid=68&roleid=5
/mod/scorm/player.php
/report/courseoverview/index.php
/user/edit.php?id=12&course=1
/login/change_password.php
/mod/scorm/view.php?id=43
/message/edit.php?id=12
/index.php?usergroup=search&advanced=1
/report/log/user.php?id=12&course=22&mode=all
Can anyone help me get this nailed down? I can't get a public VIP from network engineering until I get approval from Security, and they're not going to give me any approvals on this site until the CSRF issues are worked out.
Any suggestions? The manual says to use moodleforms where available, but this is a relatively default installation. We haven't even installed any custom plugins or anything other than a theme, so I figured all the forms in Moodle were "moodleforms", so I'm not even sure that's the issue.
Thanks in advance,
Vinny