In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details Jump to Notes ] Wiki ] View Advanced ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0000089 [In-Portal CMS] Security bug report always 2009-06-17 07:56 2009-10-03 07:56
Reporter alex View Status public Project Name In-Portal CMS
Assigned To alex Developer
Priority normal Resolution fixed Fixed in Version 5.0.0
Status closed Product Version 4.3.9 Target Version 5.0.0
Time EstimateNo estimate
Summary 0000089: Session expiration doesn't happen in admin
Description Session expiration doesn't happen the way it should when user is located in administrative console.

Let's assume, that site has multiple administrators. Two administrators are working in administrative console right now. Second administrator suddenly fall asleep for exact session expiration time - 1 hour. On the contrary first administrator continues to update site with new information for about 2 hours. This way first administrator's script (index.php) performs expiration of second administrator's session (deletes record from UserSession table and related records from SessionData table).

Then second administrator wakes up and assumes, that he/she wasn't sleeping too long for session to expire and let's say goes to another tab in user editing form. Despite it's session is expired by first administrator he/she (second administrator) still can go to template (with event on it) he/she intended to. Nothing bad it seems, but in case of event will write data to live table, then it's a security hole indeed.

What will happen in described above case:
For data editing temporary table is created and associated with given session. In given case temporary table will be expired/deleted along with session and user (if in debug mode) will see SQL error, but if not in debug mode will be redirected to administrative console login screen.

Additional Information Problem, described above is only in place since 4.3.1 release, when session expiration check was moved away from "Session::Init" method to new "Session::ValidateExpired" method, which is called at the end of "kApplication::Init" method (to redirect to correct template with in mod-rewrite mode and session expiration happens).
Tags No tags attached.
Reference
Change Log Message
Estimate Points 0
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0000085)
alex (manager)
2009-06-17 08:06

Fix committed to RC branch. Commit Message:

1. Fixes 0000089: Session expiration doesn't happen in admin.
2. Width of overlay div shown during ajax requests is now also updated, when window is resized.
3. Function maximizeElement (javascript) now also updates maximized control size on window resize.
4. "Tools -> Query Database" section now uses correct class for column header (class was missing before this fix).
5. Fixed warning about missing 'login_template' parameter for m_RequireLogin tag (in kPermissionHelper::getPermissionTemplate method).
User avatar (0000673)
administrator (administrator)
2009-10-03 07:56

Closing issues from 5.0.0 version, because version was already released.

- Related Changesets
In-Portal CMS: RC r11865
Timestamp: 2009-06-17 08:06:24
Author: alex
Details ] Diff ]
1. Fixes 0000089: Session expiration doesn't happen in admin.
2. Width of overlay div shown during ajax requests is now also updated, when window is resized.
3. Function maximizeElement (javascript) now also updates maximized control size on window resize.
4. "Tools -> Query Database" section now uses correct class for column header (class was missing before this fix).
5. Fixed warning about missing 'login_template' parameter for m_RequireLogin tag (in kPermissionHelper::getPermissionTemplate method).
mod - /in-portal/branches/RC/core/admin_templates/js/ajax.js Diff ] File ]
mod - /in-portal/branches/RC/core/admin_templates/js/script.js Diff ] File ]
mod - /in-portal/branches/RC/core/admin_templates/tools/sql_query.tpl Diff ] File ]
mod - /in-portal/branches/RC/core/kernel/processors/main_processor.php Diff ] File ]
mod - /in-portal/branches/RC/core/kernel/session/session.php Diff ] File ]
mod - /in-portal/branches/RC/core/kernel/utility/http_query.php Diff ] File ]
mod - /in-portal/branches/RC/core/units/general/helpers/permissions_helper.php Diff ] File ]
mod - /in-portal/branches/RC/core/units/users/users_event_handler.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2009-10-03 07:56 administrator Note Added: 0000673
2009-10-03 07:56 administrator Status resolved => closed
2009-06-17 08:57 alex Fixed in Version => 5.0.0
2009-06-17 08:57 alex Target Version => 5.0.0
2009-06-17 08:06 alex Note Added: 0000085
2009-06-17 08:06 alex Status active => resolved
2009-06-17 08:06 alex Resolution open => fixed
2009-06-17 08:06 alex Assigned To => alex
2009-06-17 08:06 alex Changeset attached RC r11865
2009-06-17 07:56 alex New Issue



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker