Session Management Issue- Session is not invalidating after password change

Hi Abhishek,

Sorry, for the slow reply. This bug report must have slipped through the cracks.

We'll take a look at this. Do you want to be listed on the Mahara Project's security contributors page? https://wiki.mahara.org/index.php/Contributors#Security_researchers

If so, please let me know if you want your Twitter handle or other URL next to your name.

Cheers,
Aaron

Hi Aaron,

Glad to receive response from your end.

I would be lucky to be listed on Mahara Contributor Page. Below are the
details

Abhishek Dashora (https://www.facebook.com/ad271)

Thanks and Regards,
Abhishek Dashora

On Fri, Oct 31, 2014 at 11:02 AM, Aaron Wells <email address hidden>
wrote:

> Hi Abhishek,
>
> Sorry, for the slow reply. This bug report must have slipped through the
> cracks.
>
> We'll take a look at this. Do you want to be listed on the Mahara
> Project's security contributors page?
> https://wiki.mahara.org/index.php/Contributors#Security_researchers
>
> If so, please let me know if you want your Twitter handle or other URL
> next to your name.
>
> Cheers,
> Aaron
>
> ** Changed in: mahara
> Status: New => Confirmed
>
> ** Changed in: mahara
> Importance: Undecided => High
>
> ** Changed in: mahara
> Milestone: None => 15.04.0
>
> ** Also affects: mahara/15.04
> Importance: High
> Status: Confirmed
>
> ** Also affects: mahara/1.9
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.10
> Importance: Undecided
> Status: New
>
> ** Also affects: mahara/1.8
> Importance: Undecided
> Status: New
>
> ** Changed in: mahara/1.10
> Milestone: None => 1.10.1
>
> ** Changed in: mahara/1.8
> Milestone: None => 1.8.6
>
> ** Changed in: mahara/1.9
> Milestone: None => 1.9.4
>
> ** Changed in: mahara/1.10
> Importance: Undecided => High
>
> ** Changed in: mahara/1.8
> Importance: Undecided => High
>
> ** Changed in: mahara/1.9
> Importance: Undecided => High
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara ePortfolio:
> Confirmed
> Status in Mahara 1.10 series:
> New
> Status in Mahara 1.8 series:
> New
> Status in Mahara 1.9 series:
> New
> Status in Mahara 15.04 series:
> Confirmed
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
>...

Have submitted a patch for this:
https://reviews.mahara.org/#/c/3902/

Is the CVE I'd confirmed for this? Is this CVE ID allocated to me?

On Nov 8, 2017 9:24 AM, "Kristina Hoeppner" <email address hidden>
wrote:

> ** CVE added: https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=2017-1000136
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara:
> Fix Released
> Status in Mahara 1.10 series:
> Fix Released
> Status in Mahara 1.8 series:
> Fix Released
> Status in Mahara 1.9 series:
> Fix Released
> Status in Mahara 15.04 series:
> Fix Released
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
> application.
>
> Thanks and Regards,
> Abhishek Dashora
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions
>

Hi Abhishek,

There is nothing to do for you. The CVE has been published as we released a fix for the bug already. Please see https://mahara.org/interaction/forum/topic.php?id=7166

It was just now that we received the CVE assignment and I updated the bug report with the reference.

Cheers
Kristina