[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Mon Oct 26 08:40:29 EDT 2009


On Friday 23 of October 2009, Jerrad Pierce wrote:
> >>   A tool like the firefox developer toolbar is an easy way to do this.
> 
> HTTPFox might be a good solution too. You can simply tell it to start
>  tracking as you use RT, and stop it once you encounter the problem.
>  Examine the results, debug, and or sanitize and share.
> 
> Everyone experiencing the problem doesn't have to install the add-on,
> just someone who has the issue.

Can I log session id here somehow?

lib/RT/Interface/Web.pm:
$RT::Logger->info("Successful login for @{[$ARGS->{user}]} from 
$ENV{'REMOTE_ADDR'}");

So far it's like this:
- user logged as A
- suddently he becomes user B
- he logged off and on as A again

httpfox shows three session ids but I found only last one in sessions table 
and it was user A session.

User B was logged in on it's own computer at that time but with totally 
different session id than three above (so I assume user A become user B with 
some old session of user B).

Will try to get more information...
-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list