[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Thu Oct 29 10:35:09 EDT 2009
On Thursday 29 of October 2009, Jesse Vincent wrote:
> On Thu, Oct 29, 2009 at 03:18:33PM +0100, Arkadiusz Miskiewicz wrote:
> > On Thursday 29 of October 2009, Arkadiusz Miskiewicz wrote:
> >
> > Today it happened to me. I suddently became user B in rt (opera). The
> > real user B had his PC running with rt opened (firefox) with autorefresh
> > every 2 minutes set but he was away from his computer.
>
> I really need to see protocol-level HTTP logs for both of these
> sessions. I need to see when/if RT handed you his cookie.
One firefox user here has httpfox [1] running but so far he didn't have any
problem for last 2 days :-(
Our rt is running over ssl, so sniffing at wire level also not possible (or at
least I don't know any working linux sniffer that could to that provided I
have key/cert)
Trying to get that.
[1] it sucks a little as it doesn't have "save log" capability
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list