Comment 2 for bug 1363873
Revision history for this message
| abhishek dashora (abhishekdashora271) wrote Re: [Bug 1363873] Re: Session Management Issue- Session is not invalidating after password change | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi Aaron,
Glad to receive response from your end.
I would be lucky to be listed on Mahara Contributor Page. Below are the
details
Abhishek Dashora (https:/
Thanks and Regards,
Abhishek Dashora
On Fri, Oct 31, 2014 at 11:02 AM, Aaron Wells <email address hidden>
wrote:
> Hi Abhishek,
>
> Sorry, for the slow reply. This bug report must have slipped through the
> cracks.
>
> We'll take a look at this. Do you want to be listed on the Mahara
> Project's security contributors page?
> https:/
>
> If so, please let me know if you want your Twitter handle or other URL
> next to your name.
>
> Cheers,
> Aaron
>
> ** Changed in: mahara
> Status: New => Confirmed
>
> ** Changed in: mahara
> Importance: Undecided => High
>
> ** Changed in: mahara
> Milestone: None => 15.04.0
>
> ** Also affects: mahara/15.04
> Importance: High
> Status: Confirmed
>
> ** Also affects: mahara/1.9
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.10
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.8
> Importance: Undecided
> Status: New
>
> ** Changed in: mahara/1.10
> Milestone: None => 1.10.1
>
> ** Changed in: mahara/1.8
> Milestone: None => 1.8.6
>
> ** Changed in: mahara/1.9
> Milestone: None => 1.9.4
>
> ** Changed in: mahara/1.10
> Importance: Undecided => High
>
> ** Changed in: mahara/1.8
> Importance: Undecided => High
>
> ** Changed in: mahara/1.9
> Importance: Undecided => High
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara ePortfolio:
> Confirmed
> Status in Mahara 1.10 series:
> New
> Status in Mahara 1.8 series:
> New
> Status in Mahara 1.9 series:
> New
> Status in Mahara 15.04 series:
> Confirmed
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https:/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https:/
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
> application.
>
> Thanks and Regards,
> Abhishek Dashora
>
> To manage notifications about this bug go to:
> https:/
>