Old cookies lingering allowing one to login without giving login details
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Cecilia Vela Gurovic | ||
15.04 |
Fix Released
|
High
|
Unassigned | ||
16.04 |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Unassigned | ||
17.04 |
Fix Released
|
High
|
Cecilia Vela Gurovic | ||
17.10 |
Fix Released
|
High
|
Cecilia Vela Gurovic |
Bug Description
This are some security issues around Mahara and session cookies.
When one logs into Mahara a 'mahara' cookie is set in the browser containing a unique string for the session. This value is also saved in the usr_session table to keep track of the session.
When one closes the browser without logging out the value in the usr_session table is not removed so if someone were to open a browser and visit the Mahara site and adjust the 'mahara' cookie to the old value they can get access to the user's account.
Things that need fixing:
1) when a user logs in it clears any obsolete usr_session cookies for the user.
- this will decrease the chance an old cookie value can be used to access the user's account.
2) recording the user-agent of the session and if it changes to prompt the user to login again
- this should reduce the chance of someone capturing the cookie value on the network and using it
3) when self adding / editing email address(es) that they are required to give their current password
- this should reduce the hacker's ability to take over an account they get into (similar to how we do this currently when changing our password).
NOTE: Using an https site will greatly reduce the ability to discover the cookie value as the cookie will be sent securely.
CVE References
no longer affects: | mahara/18.04 |
information type: | Private Security → Public Security |
https:/ /reviews. mahara. org/#/c/ 7870/