Best practice forum (Archived)

This forum discussion has been removed

 
This forum post has been removed
Wednesday, 13 May 2015, 5:25 AM
The content of this forum post has been removed and can no longer be accessed.
Sam Hemelryk
Re: Login As
by Sam Hemelryk - Wednesday, 13 May 2015, 5:10 PM
Group Totara

Hi Piers,

I agree this is something that I am sure annoys administrators the world over.

The change however is very intentional and despite the inconvenience it causes we would not change how it operates by default.
The reason it is done this way is to prevent any chance XSS exploits via the return to user action when a user has used login as to assume the guise of another user.
As an example of how this could be done:

  • Student discovers XSS attack vector. 
  • Writes some crafty JS that does some nasty that would open a window with the "return to admin user" link.
  • Files a support ticket with helpdesk, stating a problem on the given page.
  • Unsuspecting admin uses loginas to see what the student sees.
  • XSS code opens new window to complete the "return to admin" action.
  • Original window with the XSS code now has admin access to the site.
  • Users script proceeds to complete tasks as the admin, making themselves admin, removing other admins, firing off spam etc.

Such an exploit is achievable if the user is able to return to the original role if they have used login and are not prompted to authenticate.

Now that the student discovers an XSS attack vector sounds like they have already discovered an exploit, and they may have.
However the difference with this attack is that often the only place someone can get malicious JS to execute is somewhere only they themselves can see - the reason for this is that those areas are not often closed off as it allows for custom functionality and the user is only able to attack themselves.
A good example of this is when editing the user profile, turn the editor to HTML mode and set your description to:

<div onclick="alert('Hello!');">Click me</div>

Now change your editor back to the normal mode and click on the words "Click me".
You get an alert, which is expected, when you save the JS is stripped and everything is safe, but until you save the editor (both TinyMCE and Atto) process the JS as it may be permitted. It is when it is saved that it is stripped.
This typically isn't a problem as the only user who can be exploited is the user who is editing their profile.
However a malicious user with a little more smarts that I will not disclose here could create content that would allow the above example to happen.

In terms of solutions there is a long running improvement conversation upstream on Moodle about how to solve this MDL-24120.
The reality is that for the sake of a single password some people are willing to take the security risk.
They have talked in the past about adding a setting so that this can be disabled, or automating submit of the login form if the password has been saved.
Really they can not come to an agreement because the security risks are real and the benefit is marginal - an additional entry of credentials for a safer installation.

Given this information would you want some way to disable the login requirement when returning to your account?
We can't turn it off by default, however potentially if there is enough of an argument and it proved popular we could look for a solution where Moodle has failed to agree.
If so a little information on your use case and whether you would want a setting or something else would be appreciated.
The same goes for everyone else who is interested.

Cheers
Sam

This forum post has been removed
Monday, 18 May 2015, 3:46 AM
The content of this forum post has been removed and can no longer be accessed.
? ?
Re: Login As
by ? ? - Monday, 18 May 2015, 6:45 AM
 

Hi,

 

I'd be keen to +1 a solution to this, as we have a number of clients on 2.6 who have expressed similar frustrations. I understand the security consideration, however from an administration perspective where multiple "login as" are required, it is very time consuming to continually have to log back in to the site.

Even if there was a middle ground screen just asking for the admin password rather than full credentials that would be helpful, although as suggested a configurable option would certainly be preferred.

The only workaround at the moment as far as I can see is to have multiple windows open and open login as pages in a separate browser session thus keeping the admin account open elsewhere, although again this is not ideal, and would be tricky to do effectively if using a single screen setup.

Obviously, both clients and partners all need to ensure that an appropriate amount of security is in place, and that attacks are mitigated against where possible, however as has been mentioned above it sounds as though there may be alternative ways of preventing a theoretically possible attack whilst also addressing this issue. 

Thanks

Adam

Sam Hemelryk
Re: Login As
by Sam Hemelryk - Monday, 18 May 2015, 2:41 PM
Group Totara

Hi guys,

Thank you for the replies.

In terms of disabling JavaScript there are several areas around Totara where this it is possible for the user to add JavaScript that is executable in a limited capacity, the editors being the example so far.
There are also setting and filters that permit JavaScript in some situations.
Disabling or stripping JS is not really an option as those places that use it require it for functionality. The editor is the example I have shared as the ability to execute JS there is well known and understood, it is not in fact an easily exploitable area due to internal cleaning by both the editor JS and the mforms library.

As for whether this is theoretical or proven, it is both, it has been tested in an easy to reproduce situation with a couple of settings changed from their defaults.
It theoretically could be exploited on a much wider scale, we are aware of several areas that we suspect would be susceptible.

In regards to introducing a setting, the conundrum for us is that we support this software and this setting would introduce very clear security concerns. Concerns that we can't in all situations mitigate.
Adding the setting can be done with ease but I do not think we can support it or the consequences it may have as there would be little we could do to completely foresee and close all of the security holes it introduces.
I will have a chat to product board responsible for planning at the next meeting and see if anyone has any ideas on how we could provide a supportable solution here.

Cheers
Sam

This forum post has been removed
Tuesday, 19 May 2015, 3:03 AM
The content of this forum post has been removed and can no longer be accessed.
David
Re: Login As
by David Shaw - Wednesday, 20 May 2015, 1:45 AM
 

Hi Sam and Piers,

Our thinking here is that we should not add a setting to disable this functionality, as we would intentionally be adding a security issue into the product.

If one of our developers introduced this in custom functionality then our hosting team would not allow it to go live and I expect that if this were introduced into the code as standard then we would always remove it before we put it into a production environment.

Regards

David

This forum post has been removed
Wednesday, 20 May 2015, 2:55 AM
The content of this forum post has been removed and can no longer be accessed.
David
Re: Login As
by David Shaw - Thursday, 21 May 2015, 1:29 AM
 

Hi Piers,

I personally use lastpass to create and store all my passwords.  It auto fills in the username and password fields for sites so you don't need to type the details in, and it has the added advantage of always being able to use different secure random passwords for all of your sites (mine are now over 16 random characters long) as you don't need to remember them.  It also allows for multifactor authentication to add that extra layer of security.

And it's free for the basic version.

There are of course other password stores out there to choose from.

David

P.S. Just to set your mind at ease I don't store client site passwords in my personal lastpass account.  We use a similar service at Kineo to manage access to client sites.

Sam Hemelryk
Re: Login As
by Sam Hemelryk - Thursday, 28 May 2015, 3:40 PM
Group Totara

Hi everyone,

This issue has been discussed by the product board.

The end decision is that we will not be providing a setting or any other means to bypass the requirement of entering your credentials again when returning to your original user account after using the "login as" functionality.

The security risks are just to great if the user is not required to re-authenticate and the we do not wish to provide a means by which to bypass the simple step of re-authenticating in light of the security concerns.

Kind regards
Sam