[rt-users] 3.8.x serious security issue with mixing sessions
Jesse Vincent
jesse at bestpractical.com
Thu Oct 29 10:26:17 EDT 2009
On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
>
> Today it happened to me. I suddently became user B in rt (opera). The real
> user B had his PC running with rt opened (firefox) with autorefresh every 2
> minutes set but he was away from his computer.
I really need to see protocol-level HTTP logs for both of these
sessions. I need to see when/if RT handed you his cookie.
>
> Now I verified his and mine RT_SID cookie and... I have his cookie aka we both
> use the same cookie. I log session_id in rt.log at login, so I also checked
> that and had login for user B with that cookie logged in rt.log 20 minutes
> ago. sessions table in mysql contained that session_id of course. My initial
> cookie that I logged in as user A was also there in sessions table.
>
> So at the end I and user B we both have active sessions as user B with the
> same cookie. I even did few steps through rt on both computers to see if
> session_id will change but no - we are still logged in and still use the same
> session_id/cookie.
>
> (feature request: what I miss now is to make session contain IP address
> information for better security - so that session would work only from that
> one IP)
As an optional feature, I'd love a patch. But it has to default to off.
Too many organizations have an array of outgoing proxy IP addresses.
> --
> Arkadiusz Miśkiewicz PLD/Linux Team
> arekm / maven.pl http://ftp.pld-linux.org/
>
--
More information about the rt-users
mailing list