Sensitive data disclosure

Sensitive data disclosure

by madhura railkar -
Number of replies: 1

"During the Security testing of moodle site, it was observed that sensitive data was exposed in:


1. Session key was sent in URL

2. user email id was present in the cookie parameter"


"1. Sensitive Data in URL - https://mydomain/lib/ajax (all URLs starting with /lid/ajax)

2. email id was exposed in 'nv_user' parameter in Cookie."


How to remove sensitive data from URL and cookie parameters in moodle?

Average of ratings: -
In reply to madhura railkar

Re: Sensitive data disclosure

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
This is not the right way to report Moodle security issues. See https://moodle.org/security

(But, from what I have seen so far, your tester has failed to find any real issues. They just don't understand how Moodle works of what it is doing. E.g. the think in the URL is not as session id, it is a CSRF token. The nv_user is not created by Moodle, ...)
Average of ratings: Useful (4)