[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Mon Oct 26 08:40:29 EDT 2009
On Friday 23 of October 2009, Jerrad Pierce wrote:
> >> A tool like the firefox developer toolbar is an easy way to do this.
>
> HTTPFox might be a good solution too. You can simply tell it to start
> tracking as you use RT, and stop it once you encounter the problem.
> Examine the results, debug, and or sanitize and share.
>
> Everyone experiencing the problem doesn't have to install the add-on,
> just someone who has the issue.
Can I log session id here somehow?
lib/RT/Interface/Web.pm:
$RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
$ENV{'REMOTE_ADDR'}");
So far it's like this:
- user logged as A
- suddently he becomes user B
- he logged off and on as A again
httpfox shows three session ids but I found only last one in sessions table
and it was user A session.
User B was logged in on it's own computer at that time but with totally
different session id than three above (so I assume user A become user B with
some old session of user B).
Will try to get more information...
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list