Vulnerability assessment check on Moodle

Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
အကြောင်းပြန်မှု အရေအတွက်: 9

Hello,

I hope this message finds you well.

Please I need help with an urgent issue. My institution conducted a vulnerability assessment check on all our systems and the results showed that our Moodle site has session management vulnerability. Please see the report below.

Title: Session management vulnerability

Status: Critical

Remediation plan: REC27_WPT2 – Ignore session ID provided by browser at logon. Web application must ignore any session ID provided by the user's browser during login. Session ID must be generated on successful login by the user and terminated on logoff.

Please, any suggestions on how this issue can be resolved?

I look forward to hearing from you.

Thank you.

ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Ejiro Ekpogbe ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Core developers ၏ ရုပ်ပုံ Documentation writers ၏ ရုပ်ပုံ Particularly helpful Moodlers ၏ ရုပ်ပုံ Peer reviewers ၏ ရုပ်ပုံ Plugin developers ၏ ရုပ်ပုံ
You can't just run one of these tests without being able to understand and interpret the output. These type of assessments tend to err towards "false positives".

I can't see any issue checking the session cookies on the login page. "Are you trying to login when you're logged in already?". What's wrong with that? Assuming that's what it means.
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Howard Miller ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
Hello Howard,

Thank you for your response. Honestly I do not understand it too. The Institution got a team to scan our systems for vulnerability issues, one was found on our Moodle site and the report was sent to me to fix.

I was told that the impact of this is that someone may be to access the site through a web browser with logging in to the site.

As I have no experience in Moodle development, I was hoping that someone here may have had similar issues or come across something like this, so I thought to post it here.

Please any suggestions will be helpful.

Thank you.
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Ejiro Ekpogbe ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Core developers ၏ ရုပ်ပုံ Documentation writers ၏ ရုပ်ပုံ Particularly helpful Moodlers ၏ ရုပ်ပုံ Peer reviewers ၏ ရုပ်ပုံ Plugin developers ၏ ရုပ်ပုံ
It's wrong. Unless, of course, you (or someone) can demonstrate that this is a vulnerability for real.
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Howard Miller ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
Thank you Howard, I have made a submission to the security team with more details from the scan report.
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Ejiro Ekpogbe ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Marcus Green -
Core developers ၏ ရုပ်ပုံ Particularly helpful Moodlers ၏ ရုပ်ပုံ Plugin developers ၏ ရုပ်ပုံ Testers ၏ ရုပ်ပုံ
I'd just like to emphasise that Howard is correct. This type of security scan is entirely meaningless without much more information and a context.
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Marcus Green ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Visvanath Ratnaweera -
Particularly helpful Moodlers ၏ ရုပ်ပုံ Translators ၏ ရုပ်ပုံ
Ideally you send a proof-of-concept (POC) securely and directly to the security team: https://moodle.org/mod/page/view.php?id=8722. Ref. https://docs.moodle.org/dev/Moodle_security_procedures referred from https://docs.moodle.org/en/Security_FAQ#How_do_I_report_a_security_issue.3F.

In any case, don't publish it in the wild!

ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -
Visvanath Ratnaweera ထံသို့ အကြောင်းပြန်ရာတွင်

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Core developers ၏ ရုပ်ပုံ Documentation writers ၏ ရုပ်ပုံ Particularly helpful Moodlers ၏ ရုပ်ပုံ Peer reviewers ၏ ရုပ်ပုံ Plugin developers ၏ ရုပ်ပုံ
Yes - but don't just send in the output from the scanner. That's not a proof of concept မျက်စိတစ်ဖက်မှိတ်
ပျှမ်းမျှအဆင့်သတ်မှတ်ချက်များ: -