Mahara

Bug #1328705
Activity log

Activity log for bug #1328705

Date	Who	What changed	Old value	New value	Message
2014-06-10 22:14:13	Son Nguyen	bug			added bug
2014-06-10 22:15:19	Son Nguyen	information type	Public	Public Security
2014-06-10 22:15:30	Son Nguyen	information type	Public Security	Private Security
2014-06-10 22:18:38	Son Nguyen	tags	session	security
2014-06-10 22:20:40	Son Nguyen	description	Reported by Turzo Ahmed <ondhokarer_rajputra@yahoo.co.uk> In Mahara, changing the password doesn't destroys the other sessions which are logged in with old passwords. As other sessions is not destroyed, attacker may be still logged in your account even after changing password, as his session is still active.. he'll have complete access on your account till that session expires! So, your account remains insecure even after the changing of password. We have 2 options to solve 1. Delete all active sessions right after an user changes his/her password 2. Facebook solved this issue by adding a process that asks users whether user want to close all open sessions or not right after changing password.	Reported by FaisaL Ahmed, http://www.faisalahmed.me/ In Mahara, changing the password doesn't destroys the other sessions which are logged in with old passwords. As other sessions is not destroyed, attacker may be still logged in your account even after changing password, as his session is still active.. he'll have complete access on your account till that session expires! So, your account remains insecure even after the changing of password. We have 2 options to solve 1. Delete all active sessions right after an user changes his/her password 2. Facebook solved this issue by adding a process that asks users whether user want to close all open sessions or not right after changing password.
2014-06-11 02:44:53	Aaron Wells	mahara: importance	High	Medium
2014-06-11 02:46:07	Aaron Wells	mahara: milestone		1.10.0
2014-06-11 02:46:18	Aaron Wells	nominated for series		mahara/1.10
2014-06-11 02:46:18	Aaron Wells	bug task added		mahara/1.10
2014-06-11 02:46:18	Aaron Wells	nominated for series		mahara/1.8
2014-06-11 02:46:18	Aaron Wells	bug task added		mahara/1.8
2014-06-11 02:46:18	Aaron Wells	nominated for series		mahara/1.9
2014-06-11 02:46:18	Aaron Wells	bug task added		mahara/1.9
2014-06-11 02:46:18	Aaron Wells	nominated for series		mahara/1.7
2014-06-11 02:46:18	Aaron Wells	bug task added		mahara/1.7
2014-06-11 02:46:28	Aaron Wells	mahara/1.7: milestone		1.7.7
2014-06-11 02:46:31	Aaron Wells	mahara/1.8: milestone		1.8.4
2014-06-11 02:46:34	Aaron Wells	mahara/1.9: milestone		1.9.2
2014-06-11 02:46:35	Aaron Wells	mahara/1.7: importance	Undecided	Medium
2014-06-11 02:46:37	Aaron Wells	mahara/1.8: importance	Undecided	Medium
2014-06-11 02:46:39	Aaron Wells	mahara/1.9: importance	Undecided	Medium
2014-06-11 02:46:41	Aaron Wells	mahara/1.7: status	New	Confirmed
2014-06-11 02:46:43	Aaron Wells	mahara/1.8: status	New	Confirmed
2014-06-11 02:46:46	Aaron Wells	mahara/1.9: status	New	Confirmed
2014-07-30 09:10:07	Robert Lyon	mahara/1.10: status	Confirmed	Fix Committed
2014-07-30 09:10:09	Robert Lyon	mahara/1.7: status	Confirmed	Fix Committed
2014-07-30 09:10:11	Robert Lyon	mahara/1.8: status	Confirmed	Fix Committed
2014-07-30 09:10:13	Robert Lyon	mahara/1.9: status	Confirmed	Fix Committed
2014-07-31 21:34:53	Robert Lyon	mahara/1.8: status	Fix Committed	Fix Released
2014-07-31 21:34:56	Robert Lyon	mahara/1.9: status	Fix Committed	Fix Released
2014-07-31 23:09:37	Son Nguyen	mahara/1.7: status	Fix Committed	Fix Released
2014-07-31 23:10:29	Son Nguyen	mahara/1.10: assignee		Son Nguyen (ngson2000)
2014-08-01 00:15:26	Robert Lyon	information type	Private Security	Public Security
2014-10-21 00:33:03	Aaron Wells	mahara: milestone	1.10.0
2014-10-21 00:33:05	Aaron Wells	mahara: status	Fix Committed	Fix Released
2014-10-21 03:44:07	Aaron Wells	mahara/1.10: status	Fix Committed	Fix Released