Session Management Issue- Session is not invalidating after password change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
1.10 |
Fix Released
|
High
|
Unassigned | ||
1.8 |
Fix Released
|
High
|
Unassigned | ||
1.9 |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
Hi Security Team,
I have discovered the session management issue on the domain https:/
Description of the issue-
The application does not invalidate the previous session once the password is changed by the legitimate user.
How to reproduce?-
1. Login in the application using https:/
2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password.
3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions.
Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password.
Please let me know if you need video PoC for this.
Remediation- Invalidate the previous session once the password has been changed and enforce the application user to relogin in the application.
Thanks and Regards,
Abhishek Dashora
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Hi Abhishek,
Sorry, for the slow reply. This bug report must have slipped through the cracks.
We'll take a look at this. Do you want to be listed on the Mahara Project's security contributors page? https:/ /wiki.mahara. org/index. php/Contributor s#Security_ researchers
If so, please let me know if you want your Twitter handle or other URL next to your name.
Cheers,
Aaron