[rt-users] 3.8.x serious security issue with mixing sessions

Jesse Vincent jesse at bestpractical.com
Thu Oct 29 10:26:17 EDT 2009




On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> 
> Today it happened to me. I suddently became user B in rt (opera). The real 
> user B had his PC running with rt opened (firefox) with autorefresh every 2 
> minutes set but he was away from his computer.

I really need to see protocol-level HTTP logs for both of these
sessions. I need to see when/if RT handed you his cookie.
> 
> Now I verified his and mine RT_SID cookie and... I have his cookie aka we both 
> use the same cookie.  I log session_id in rt.log at login, so I also checked 
> that and had login for user B with that cookie logged in rt.log 20 minutes 
> ago. sessions table in mysql contained that session_id of course. My initial 
> cookie that I logged in as user A was also there in sessions table.
> 
> So at the end I and user B we both have active sessions as user B with the 
> same cookie. I even did few steps through rt on both computers to see if 
> session_id will change but no - we are still logged in and still use the same 
> session_id/cookie.
> 
> (feature request: what I miss now is to make session contain IP address 
> information for better security - so that session would work only from that 
> one IP)

As an optional feature, I'd love a patch. But it has to default to off.
Too many organizations have an array of outgoing proxy IP addresses.

> -- 
> Arkadiusz Miśkiewicz        PLD/Linux Team
> arekm / maven.pl            http://ftp.pld-linux.org/
> 

-- 



More information about the rt-users mailing list