csrf protection with moodle

Re: csrf protection with moodle

von agathe hubert -
Anzahl Antworten: 2

Hi,

I just read the config file (jobe/application/config/config.php) that say that at line 455  

" Enables a CSRF cookie token to be set. When set to TRUE, token will be  checked on a submitted form. If you are accepting user data, it is strongly  recommended CSRF protection be enabled."

I know that I must put this server behind firewall but I would like to know if it's possible to be more secure ( The security team ask me to enumerate all the possible way of jobe security possibilities )

So I though that there would have been a way to pass to jobe the moodle sesskey for example in order to start jobe just to authenticate moodle user.

(sorry for my poor english)




Als Antwort auf agathe hubert

Re: csrf protection with moodle

von Richard Lobb -

Jobe uses the RESTserver plugin for the CodeIgniter framework. CodeIgniter is a simple general-purpose web application framework and the config file you're reading belongs to that. The advice in that file relates to web sites but is not relevant to Jobe, as Jobe is not a website. It'not really even a web service, as it's used only by a single Moodle server on a private communication channel.

Session tokens relate to the communication between a web browser and a web site. But you're not using a web browser to talk to Jobe - it's a satellite service for Moodle. No browser, no website, no session tokens, therefore no CSRF attack potential.

Sure, the user talks to Moodle using a web browser, but Moodle is the gatekeeper here. Once the request has been authenticated by the Moodle frontend, the various functions, processes and services within Moodle should just proceed to do what they're told. Although it doesn't actually happen at present, it would be entirely reasonable for a regular system maintenance task, unrelated to any particular user, let alone any particular browser, to call upon the services of jobe.