[rt-users] 3.8.x serious security issue with mixing sessions
Jesse Vincent
jesse at bestpractical.com
Mon Oct 26 08:58:17 EDT 2009
On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> On Friday 23 of October 2009, Jerrad Pierce wrote:
> > >> A tool like the firefox developer toolbar is an easy way to do this.
> >
> > HTTPFox might be a good solution too. You can simply tell it to start
> > tracking as you use RT, and stop it once you encounter the problem.
> > Examine the results, debug, and or sanitize and share.
> >
> > Everyone experiencing the problem doesn't have to install the add-on,
> > just someone who has the issue.
>
> Can I log session id here somehow?
>
> lib/RT/Interface/Web.pm:
> $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
> $ENV{'REMOTE_ADDR'}");
There are two bits you want to log:
* $session{_session_id}
* the session cookie the user sent: in 3.8.6, look at LoadSessionFromCookie
>
> So far it's like this:
> - user logged as A
> - suddently he becomes user B
> - he logged off and on as A again
>
> httpfox shows three session ids but I found only last one in sessions table
> and it was user A session.
Logging out should be clearing that B session, so that bit isn't too
surprising..
> User B was logged in on it's own computer at that time but with totally
> different session id than three above (so I assume user A become user B with
> some old session of user B).
*nod*
Has _anybody_ else been seeing this? With 3.8.6 or any other version of
RT?
Jesse
More information about the rt-users
mailing list