Session Management Issue- Session is not invalidating after password change

Bug #1363873 reported by abhishek dashora on 2014-09-01
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
1.10
High
Unassigned
1.8
High
Unassigned
1.9
High
Unassigned
15.04
High
Robert Lyon

Bug Description

Hi Security Team,

I have discovered the session management issue on the domain https://mahara.org/

Description of the issue-

The application does not invalidate the previous session once the password is changed by the legitimate user.

How to reproduce?-

1. Login in the application using https://mahara.org/ and login into the application.
2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password.
3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions.

Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password.
Please let me know if you need video PoC for this.

Remediation- Invalidate the previous session once the password has been changed and enforce the application user to relogin in the application.

Thanks and Regards,
Abhishek Dashora

CVE References

Aaron Wells (u-aaronw) wrote :

Hi Abhishek,

Sorry, for the slow reply. This bug report must have slipped through the cracks.

We'll take a look at this. Do you want to be listed on the Mahara Project's security contributors page? https://wiki.mahara.org/index.php/Contributors#Security_researchers

If so, please let me know if you want your Twitter handle or other URL next to your name.

Cheers,
Aaron

Changed in mahara:
status: New → Confirmed
importance: Undecided → High
milestone: none → 15.04.0
Download full text (3.3 KiB)

Hi Aaron,

Glad to receive response from your end.

I would be lucky to be listed on Mahara Contributor Page. Below are the
details

Abhishek Dashora (https://www.facebook.com/ad271)

Thanks and Regards,
Abhishek Dashora

On Fri, Oct 31, 2014 at 11:02 AM, Aaron Wells <email address hidden>
wrote:

> Hi Abhishek,
>
> Sorry, for the slow reply. This bug report must have slipped through the
> cracks.
>
> We'll take a look at this. Do you want to be listed on the Mahara
> Project's security contributors page?
> https://wiki.mahara.org/index.php/Contributors#Security_researchers
>
> If so, please let me know if you want your Twitter handle or other URL
> next to your name.
>
> Cheers,
> Aaron
>
> ** Changed in: mahara
> Status: New => Confirmed
>
> ** Changed in: mahara
> Importance: Undecided => High
>
> ** Changed in: mahara
> Milestone: None => 15.04.0
>
> ** Also affects: mahara/15.04
> Importance: High
> Status: Confirmed
>
> ** Also affects: mahara/1.9
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.10
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.8
> Importance: Undecided
> Status: New
>
> ** Changed in: mahara/1.10
> Milestone: None => 1.10.1
>
> ** Changed in: mahara/1.8
> Milestone: None => 1.8.6
>
> ** Changed in: mahara/1.9
> Milestone: None => 1.9.4
>
> ** Changed in: mahara/1.10
> Importance: Undecided => High
>
> ** Changed in: mahara/1.8
> Importance: Undecided => High
>
> ** Changed in: mahara/1.9
> Importance: Undecided => High
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara ePortfolio:
> Confirmed
> Status in Mahara 1.10 series:
> New
> Status in Mahara 1.8 series:
> New
> Status in Mahara 1.9 series:
> New
> Status in Mahara 15.04 series:
> Confirmed
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
>...

Read more...

Robert Lyon (robertl-9) wrote :

Have submitted a patch for this:
https://reviews.mahara.org/#/c/3902/

Robert Lyon (robertl-9) on 2014-11-25
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released

Is the CVE I'd confirmed for this? Is this CVE ID allocated to me?

On Nov 8, 2017 9:24 AM, "Kristina Hoeppner" <email address hidden>
wrote:

> ** CVE added: https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=2017-1000136
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara:
> Fix Released
> Status in Mahara 1.10 series:
> Fix Released
> Status in Mahara 1.8 series:
> Fix Released
> Status in Mahara 1.9 series:
> Fix Released
> Status in Mahara 15.04 series:
> Fix Released
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
> application.
>
> Thanks and Regards,
> Abhishek Dashora
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions
>

Hi Abhishek,

There is nothing to do for you. The CVE has been published as we released a fix for the bug already. Please see https://mahara.org/interaction/forum/topic.php?id=7166

It was just now that we received the CVE assignment and I updated the bug report with the reference.

Cheers
Kristina

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers