csrf protection with moodle

csrf protection with moodle

by agathe hubert -
Number of replies: 4

hi,

I successfully installed a server job and the coderunner plugin into a 3.7 moodle.

I want to enabled CSRF protection (it's strongly recommended in the jobe config file) but It doesn't work with moodle when enable.

I have the error message on coderunner question : "Unauthorised to use sandbox"

On apache log (on jobe server) I have  "POST /jobe/index.php/restapi/runs HTTP/1.1" 403 1131 "-" "MoodleBot/1.0"

Does someone already enable that with moodle ?

Thanks a lot

In reply to agathe hubert

Re: csrf protection with moodle

by Richard Lobb -

I'm curious to know exactly what you read that said CSRF protection is strongly recommended for Jobe and exactly what you did to enable it. Did you do something on the Moodle server or on the Jobe server?

My first reaction is that CSRF isn't relevant to Jobe. A CSRF attack involves luring a user to carry out some action on a website (click a button, follow a link etc) that causes them to visit some other site, where their credentials (cookies etc) are used to carry out some action beneficial to the attacker. None of this applies to Jobe. Jobe isn't a website with links buttons etc, and there are no users to trick and no cookies or authentication tokens of benefit to any attacker. Jobe is just a server that happens to use the HTTP protocol for accepting service requests. It is (or should be) firewalled to ensure that the only access to it is from Moodle.

But perhaps I'm misunderstanding what you're trying to do. Could you explain further, please?


In reply to Richard Lobb

Re: csrf protection with moodle

by agathe hubert -

Hi,

I just read the config file (jobe/application/config/config.php) that say that at line 455  

" Enables a CSRF cookie token to be set. When set to TRUE, token will be  checked on a submitted form. If you are accepting user data, it is strongly  recommended CSRF protection be enabled."

I know that I must put this server behind firewall but I would like to know if it's possible to be more secure ( The security team ask me to enumerate all the possible way of jobe security possibilities )

So I though that there would have been a way to pass to jobe the moodle sesskey for example in order to start jobe just to authenticate moodle user.

(sorry for my poor english)




In reply to agathe hubert

Re: csrf protection with moodle

by Richard Lobb -

Jobe uses the RESTserver plugin for the CodeIgniter framework. CodeIgniter is a simple general-purpose web application framework and the config file you're reading belongs to that. The advice in that file relates to web sites but is not relevant to Jobe, as Jobe is not a website. It'not really even a web service, as it's used only by a single Moodle server on a private communication channel.

Session tokens relate to the communication between a web browser and a web site. But you're not using a web browser to talk to Jobe - it's a satellite service for Moodle. No browser, no website, no session tokens, therefore no CSRF attack potential.

Sure, the user talks to Moodle using a web browser, but Moodle is the gatekeeper here. Once the request has been authenticated by the Moodle frontend, the various functions, processes and services within Moodle should just proceed to do what they're told. Although it doesn't actually happen at present, it would be entirely reasonable for a regular system maintenance task, unrelated to any particular user, let alone any particular browser, to call upon the services of jobe.


In reply to Richard Lobb

Re: csrf protection with moodle

by agathe hubert -
Thank you very much for the detail explanation :-)