In-Portal Issue Tracker - In-Portal CMS
|
Viewing Issue Advanced Details |
|
ID:
|
Category:
|
Type:
|
Reproducibility:
|
Date Submitted:
|
Last Update:
|
89 |
[In-Portal CMS] Security |
bug report |
always |
2009-06-17 07:56 |
2009-10-03 07:56 |
|
Reporter:
|
alex |
Platform:
|
|
|
Assigned To:
|
alex |
OS:
|
|
|
Priority:
|
normal |
OS Version:
|
|
|
Status:
|
closed |
Product Version:
|
4.3.9 |
|
Product Build:
|
|
Resolution:
|
fixed |
|
|
ETA:
|
none |
Fixed in Version:
|
5.0.0 |
|
Reference:
|
|
Change Log Message:
|
|
Estimate Points:
|
0 |
|
Summary:
|
0000089: Session expiration doesn't happen in admin |
Description:
|
Session expiration doesn't happen the way it should when user is located in administrative console.
Let's assume, that site has multiple administrators. Two administrators are working in administrative console right now. Second administrator suddenly fall asleep for exact session expiration time - 1 hour. On the contrary first administrator continues to update site with new information for about 2 hours. This way first administrator's script (index.php) performs expiration of second administrator's session (deletes record from UserSession table and related records from SessionData table).
Then second administrator wakes up and assumes, that he/she wasn't sleeping too long for session to expire and let's say goes to another tab in user editing form. Despite it's session is expired by first administrator he/she (second administrator) still can go to template (with event on it) he/she intended to. Nothing bad it seems, but in case of event will write data to live table, then it's a security hole indeed.
What will happen in described above case:
For data editing temporary table is created and associated with given session. In given case temporary table will be expired/deleted along with session and user (if in debug mode) will see SQL error, but if not in debug mode will be redirected to administrative console login screen.
|
Steps To Reproduce:
|
|
Additional Information:
|
Problem, described above is only in place since 4.3.1 release, when session expiration check was moved away from "Session::Init" method to new "Session::ValidateExpired" method, which is called at the end of "kApplication::Init" method (to redirect to correct template with in mod-rewrite mode and session expiration happens). |
Relationships | |
Attached Files:
|
|
|
Issue History |
Date Modified |
Username |
Field |
Change |
2009-10-03 07:56 |
administrator |
Note Added: 0000673 |
|
2009-10-03 07:56 |
administrator |
Status |
resolved => closed |
2009-06-17 08:57 |
alex |
Fixed in Version |
=> 5.0.0 |
2009-06-17 08:57 |
alex |
Target Version |
=> 5.0.0 |
2009-06-17 08:06 |
alex |
Note Added: 0000085 |
|
2009-06-17 08:06 |
alex |
Status |
active => resolved |
2009-06-17 08:06 |
alex |
Resolution |
open => fixed |
2009-06-17 08:06 |
alex |
Assigned To |
=> alex |
2009-06-17 08:06 |
alex |
Changeset attached |
RC r11865 |
2009-06-17 07:56 |
alex |
New Issue |
|