[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Thu Oct 29 09:48:50 EDT 2009


On Monday 26 of October 2009, Jesse Vincent wrote:
> On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Jerrad Pierce wrote:
> > > >>   A tool like the firefox developer toolbar is an easy way to do
> > > >> this.
> > >
> > > HTTPFox might be a good solution too. You can simply tell it to start
> > >  tracking as you use RT, and stop it once you encounter the problem.
> > >  Examine the results, debug, and or sanitize and share.
> > >
> > > Everyone experiencing the problem doesn't have to install the add-on,
> > > just someone who has the issue.
> >
> > Can I log session id here somehow?
> >
> > lib/RT/Interface/Web.pm:
> > $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
> > $ENV{'REMOTE_ADDR'}");
> 
> There are two bits you want to log:
> 
> 	* $session{_session_id}
> 	* the session cookie the user sent:  in 3.8.6, look at
>  LoadSessionFromCookie
> 
> > So far it's like this:
> > - user logged as A
> > - suddently he becomes user B
> > - he logged off and on as A again
> >
> > httpfox shows three session ids but I found only last one in sessions
> > table and it was user A session.
> 
> Logging out should be clearing that B session, so that bit isn't too
> surprising..

Still trying to gather more info. 

What's the correct place for logging information about which session has been 
logged out (forced) or logged out via web interface?

Added this to _ForceLogout but it seems to be wrong since it logs some very 
different session_ids...

sub _ForceLogout {
    my $sid = $HTML::Mason::Commands::session{'_session_id'};
    $RT::Logger->info("_ForceLogout session id $sid");


> Jesse

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list