Session token in URL Vulnerability

Session token in URL Vulnerability

by Aditya Ravishankar -
Number of replies: 1

Greetings All, 

As we scan our moodle websites through the BurpSuite scanner, we overcome the 

Session token in URL Vulnerability 


Issue Detail :

"The URL in the request appears to contain a session token within the query string:

  • https://xxxxxxxxxxxxx/admin/repository.php?sesskey=TIMHDsnYRP&action=edit&repos=recent
This issue was found in multiple locations under the reported path."

Issue Remediation Recommendation:

Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

The moodle version the website is on is 3.9.x

Could someone enlighten on how this vulnerability can be mitigated. (Or can this be ignored as a false positive)

Thanks

Kind regards 

Average of ratings: -
In reply to Aditya Ravishankar

Re: Session token in URL Vulnerability

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers

Hi Aditya,

Please do not publish potential security issues to this public forum. We have a security submission form where you can send any findings here: https://moodle.org/security/report/. We have a Responsible Disclosure Policy, so any confirmed security issues are not published until a patch is in place (for more information, see our Security Policies documentation).

Regarding this specific finding, the sesskey is a CSRF token, and not a session token. That being the case, this is considered a low severity issue,  but we are aware it is best practice to send these via POST rather than GET and do endeavour to fix any of these cases where GET is discovered. It would be great if you can submit your findings via the security submission form, so the cases you have identified can be triaged and fixed if necessary.

Thanks!

Average of ratings: Useful (3)