[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Thu Oct 29 10:30:49 EDT 2009
On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
>
> Today it happened to me.
And now another story that happened just few minutes ago:
I was logged in as A with session_id/cookie let say "sessA". When doing
something in rt I suddenly got login screen, huh! Checked sessions table -
sessA was still there. So I changed cookie preferences in opera and set RT_SID
cookie back to "sessA", page refresh and... I'm as A, no need to log in!
Which looks like my session ("sessA") was still alive and working on rt side
but somehow rt passed different session id/cookie to opera and opera used it
which in the end caused login screen to appear.
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list