Vulnerability assessment check on Moodle

Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
Number of replies: 9

Hello,

I hope this message finds you well.

Please I need help with an urgent issue. My institution conducted a vulnerability assessment check on all our systems and the results showed that our Moodle site has session management vulnerability. Please see the report below.

Title: Session management vulnerability

Status: Critical

Remediation plan: REC27_WPT2 – Ignore session ID provided by browser at logon. Web application must ignore any session ID provided by the user's browser during login. Session ID must be generated on successful login by the user and terminated on logoff.

Please, any suggestions on how this issue can be resolved?

I look forward to hearing from you.

Thank you.

Average of ratings: -
In reply to Ejiro Ekpogbe

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
You can't just run one of these tests without being able to understand and interpret the output. These type of assessments tend to err towards "false positives".

I can't see any issue checking the session cookies on the login page. "Are you trying to login when you're logged in already?". What's wrong with that? Assuming that's what it means.
Average of ratings: -
In reply to Howard Miller

Re: Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
Hello Howard,

Thank you for your response. Honestly I do not understand it too. The Institution got a team to scan our systems for vulnerability issues, one was found on our Moodle site and the report was sent to me to fix.

I was told that the impact of this is that someone may be to access the site through a web browser with logging in to the site.

As I have no experience in Moodle development, I was hoping that someone here may have had similar issues or come across something like this, so I thought to post it here.

Please any suggestions will be helpful.

Thank you.
Average of ratings: -
In reply to Ejiro Ekpogbe

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
It's wrong. Unless, of course, you (or someone) can demonstrate that this is a vulnerability for real.
Average of ratings: -
In reply to Howard Miller

Re: Vulnerability assessment check on Moodle

by Ejiro Ekpogbe -
Thank you Howard, I have made a submission to the security team with more details from the scan report.
Average of ratings: -
In reply to Ejiro Ekpogbe

Re: Vulnerability assessment check on Moodle

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
I'd just like to emphasise that Howard is correct. This type of security scan is entirely meaningless without much more information and a context.
Average of ratings: -
In reply to Marcus Green

Re: Vulnerability assessment check on Moodle

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Ideally you send a proof-of-concept (POC) securely and directly to the security team: https://moodle.org/mod/page/view.php?id=8722. Ref. https://docs.moodle.org/dev/Moodle_security_procedures referred from https://docs.moodle.org/en/Security_FAQ#How_do_I_report_a_security_issue.3F.

In any case, don't publish it in the wild!

Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Vulnerability assessment check on Moodle

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Yes - but don't just send in the output from the scanner. That's not a proof of concept wink
Average of ratings: -