[rt-users] 3.8.x serious security issue with mixing sessions

Arkadiusz Miskiewicz arekm at maven.pl
Thu Oct 29 10:30:49 EDT 2009


On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> 
> Today it happened to me.

And now another story that happened just few minutes ago:

I was logged in as A with session_id/cookie let say "sessA". When doing 
something in rt I suddenly got login screen, huh! Checked sessions table - 
sessA was still there. So I changed cookie preferences in opera and set RT_SID 
cookie back to "sessA", page refresh and... I'm as A, no need to log in!

Which looks like my session ("sessA") was still alive and working on rt side 
but somehow rt passed different session id/cookie to opera and opera used it 
which in the end caused login screen to appear.

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/



More information about the rt-users mailing list