Client-side prototype pollution for Moodle

Client-side prototype pollution for Moodle

Shravan K發表於
Number of replies: 2

We are using Moodle 3.11 and would like to know about the client prototype pollution for Moodle.
During the security report it was found that while accessing any of pages on Moodle and in the console if we try to create the object and trying to change the value, it is getting changed.
This is considered as client prototype pollution. 

As with this hacker can get the internal value of the object using _proto_ and modify the original value of the object data and process the request with modified object.
Could you please help here to mitigate this?
Adding the screenshot here for reference.

附件 ptp.png
評比平均分數: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

Michael Hawkins發表於
Core developers的相片 Moodle HQ的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Testers的相片

Hi Shravan,

What you are achieving here is creating an object in the browser console, and then manipulating your own object. JavaScript can be executed in the browser console as that is its purpose. You will be able to paste the same code snipped into the console on any website and achieve the same output.

Although in this case the information is not a security issue, please carefully read the following, which is an excerpt from information published at the very top of this forum:

Please do not post security scans or vulnerability findings in this public forum. Any potential vulnerabilities can be submitted via the Security Submission form, which adheres to our Security Procedures and Responsible Disclosure Policy.

評比平均分數: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

Marcus Green發表於
Core developers的相片 Particularly helpful Moodlers的相片 Plugin developers的相片 Testers的相片
This is how the web works. You can do anything you want to javascript items in your own browser on any web site. But Michael is the real expert on this.
評比平均分數: -