Hi there, recently our moodle site went through DAST(Dynamic Application Security Testing), they found a vulnerability named "Body Parameters Accepted in Query " in below files. Please anyone help me how to resolve this vulnerability. For your note we are using moodle 3.8.3 version.
1. /course/category.ajax.php?categoryid=2&depth=1&showcourses=15&type=0
2. /mod/scorm/datamodel.php?id=&a=22&sesskey=bC0QJ4V36B&attempt=1&scoid=25
3. /calendar/export.php?sesskey=OqySwH1m7f&_qf__core_calendar_export_form=1&events%5Bexportevents%5D=all&generateurl=Get+cal endar+URL
4. calendar/managesubscriptions.php?eventtype=user&sesskey=6vvh4BKSkM&_qf__core_calendar_local_event_forms_managesubscripti ons=1&mform_isexpanded_id_addsubscriptionform=1&name=1234&importfrom=1&url=1234&pollinterval=604800&importfile=390795016&ad d=Add
5. /badges/mybadges.php?sesskey=uITial7g03&search=1234&submitsearch=Search
6. /user/view.php?id=52051191&course=13&aep=aep&id=52051191&course=13&sesskey=WRMNbTBT24&_qf__theme_adaptable_output_core_us er_myprofile_editprofile_form=1&description_editor%5Btext%5D=1234&description_editor%5Bformat%5D=1&description_editor%5Bite mid%5D=767741161&city=Mystery&interests=_qf__force_multiselect_submission&imagefile=335817177&imagealt=25&submitbutton=Upda te+profile
This looks like a duplicate question. Are you still running an unsupported Moodle version with an unsupported PHP version? You need to address this before asking for help with potential security issues.
Hi Leon, currently we are using moodle 3.8.3 version and php 7.3.20 version, kindly suggest some ways to get rid of this "Body Parameters Accepted in Query vulnerability" without upgrading the moodle version.
Unfortunately you won't be able to get support for that in these forums. I suggest you will need to engage your own developer to fix that issue if upgrading isn't an option.
The risk with using body parameters in the url is revealing sensitive information (username, password etc) as these appear in web logs, browsers history and can be expoited in man-in-the-middle attacks.
I suppose your test is mostly picking up the sesskey in the param list. I do know Moodle have been picking those off (you can browse the tracker to find instances there), so updating to a newer version should help.
It seems you've asked this question before, though, and you were advised back then to upgrade to a later version. I'm not sure repeating the question will reveal a different answer.
I suppose your test is mostly picking up the sesskey in the param list. I do know Moodle have been picking those off (you can browse the tracker to find instances there), so updating to a newer version should help.
It seems you've asked this question before, though, and you were advised back then to upgrade to a later version. I'm not sure repeating the question will reveal a different answer.