[rt-users] 3.8.x serious security issue with mixing sessions

Jesse Vincent jesse at bestpractical.com
Mon Oct 26 08:58:17 EDT 2009




On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Jerrad Pierce wrote:
> > >>   A tool like the firefox developer toolbar is an easy way to do this.
> > 
> > HTTPFox might be a good solution too. You can simply tell it to start
> >  tracking as you use RT, and stop it once you encounter the problem.
> >  Examine the results, debug, and or sanitize and share.
> > 
> > Everyone experiencing the problem doesn't have to install the add-on,
> > just someone who has the issue.
> 
> Can I log session id here somehow?
> 
> lib/RT/Interface/Web.pm:
> $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from 
> $ENV{'REMOTE_ADDR'}");

There are two bits you want to log:
	
	* $session{_session_id}	
	* the session cookie the user sent:  in 3.8.6, look at LoadSessionFromCookie
> 
> So far it's like this:
> - user logged as A
> - suddently he becomes user B
> - he logged off and on as A again
> 
> httpfox shows three session ids but I found only last one in sessions table 
> and it was user A session.

Logging out should be clearing that B session, so that bit isn't too
surprising..

> User B was logged in on it's own computer at that time but with totally 
> different session id than three above (so I assume user A become user B with 
> some old session of user B).

*nod*

Has _anybody_ else been seeing this? With 3.8.6 or any other version of
RT?

Jesse



More information about the rt-users mailing list