Security bug: reflected form action in view.php

[mwithheld]

Burp detected a potential reflected form action hijacking risk in the blog module. Arbitrary input in the URL was echoed in the action URL of the form for filtering blog posts by most comments (in the blog usage sidebar).

Request URL: GET /mod/oublog/view.php/t6vreissh2?id=659827 Resulting form markup in response: <form autocomplete="off" action="https://coursespaces2r.uvic.ca/mod/oublog/view.php/t6vreissh2"

To reproduce:

• Create a course OUBlog activity
• Manually edit the url and add a word between view.php and id=??? e.g. https://my.moodle.com/mod/oublog/view.php/blah?user=22 https://my.moodle.com/mod/oublog/view.php/t6vreissh2?id=659827
• View the created HTML and search for your inserted word in the HTML output - it appears in the below form's action attribute:

  <div class="oublog_statsview_content oublog_statsview_content_commentpoststats oublog-accordion-open"
  ...
  <form autocomplete="off" action="https://my.moodle.com/mod/oublog/view.php/t6vreissh2" method="post" accept-charset="utf-8" id="mform1" class="mform">

Tested on version 2018032001 3.4 r1

[jason-platts]

This is an issue on all Moodle forms (that submit to the same page by passing $action=null)...