Old cookies lingering allowing one to login without giving login details

Bug #1701978 reported by Robert Lyon on 2017-07-03
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Cecilia Vela Gurovic
15.04
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Cecilia Vela Gurovic
17.10
High
Cecilia Vela Gurovic

Bug Description

This are some security issues around Mahara and session cookies.

When one logs into Mahara a 'mahara' cookie is set in the browser containing a unique string for the session. This value is also saved in the usr_session table to keep track of the session.

When one closes the browser without logging out the value in the usr_session table is not removed so if someone were to open a browser and visit the Mahara site and adjust the 'mahara' cookie to the old value they can get access to the user's account.

Things that need fixing:

1) when a user logs in it clears any obsolete usr_session cookies for the user.
- this will decrease the chance an old cookie value can be used to access the user's account.

2) recording the user-agent of the session and if it changes to prompt the user to login again
- this should reduce the chance of someone capturing the cookie value on the network and using it

3) when self adding / editing email address(es) that they are required to give their current password
- this should reduce the hacker's ability to take over an account they get into (similar to how we do this currently when changing our password).

NOTE: Using an https site will greatly reduce the ability to discover the cookie value as the cookie will be sent securely.

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

CVE-2017-14163

Revision history for this message
Yuliya Bozhko (yuliya.bozhko) wrote :

Got an email about this issue.

The scenario that is described here is a perfectly valid use of session. We can never know that user terminated the browser, so the only thing we can do is to look for old sessions and purge old one after some lengthy inactivity. There is already a session timeout mechanism in place. Reusing own cookie in different browser is definitely not a security issue.

"This should reduce the chance of someone capturing the cookie value on the network and using it" is not right... Once you get access to someone's cookies it is pretty much game over.

We have a session timeout code and we are setting proper security flags on our cookie - that is far far more important!

Email change with password? This doesn't make it more secure. Sending confirmation to previous and already verified email is the best way to confirm it is you. However, I do realise that email is not a required field in Mahara. Also, how would this password confirmation work with SSO?

Re: the user agent, I am not sure if that is a good idea either. According https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Binding_the_Session_ID_to_Other_User_Properties it is a good thing to capture, but does nothing against skilled hackers. If we need to add a user agent, it can be added to $_SESSION itself, no need to modify database structure.

Optional IP locking might be a good thing to add. It is rarely used this days, but can be useful when necessary.

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Thank you for your concerns, Yuliya. We'll discuss this a bit more and post a suggestion for review here to see what can be done.

Revision history for this message
Robert Lyon (robertl-9) wrote :

Having discussed this some more we will proceed with points 1) and 2) from initial description
but for point 3) we will do this instead:

3) On adding a new email via the Content -> Profile section we will send 2 emails
- one to the new email address asking user to confirm address
- and one to the primary email address to alert user that a new email is being added to their account and if this is bad how to contact their admin about the problem.

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Reported by Mushraf Mustafa

Robert Lyon (robertl-9) on 2017-10-29
no longer affects: mahara/18.04
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/7998
Committed: https://git.mahara.org/mahara/mahara/commit/1b7859ab1361cf1ed095ec030d8643e3043bb289
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 1b7859ab1361cf1ed095ec030d8643e3043bb289
Author: Robert Lyon <email address hidden>
Date: Fri Sep 8 09:44:26 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8000
Committed: https://git.mahara.org/mahara/mahara/commit/424ded281718e23acfb08c4c0cc7772b2bbd9585
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 424ded281718e23acfb08c4c0cc7772b2bbd9585
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8002
Committed: https://git.mahara.org/mahara/mahara/commit/69bcdb52be49481c03b26410553169bfc0acbcb5
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 69bcdb52be49481c03b26410553169bfc0acbcb5
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8005
Committed: https://git.mahara.org/mahara/mahara/commit/1b7ae5f30245e32335f111bc0290597822e9273b
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 1b7ae5f30245e32335f111bc0290597822e9273b
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers