← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #19348

[Bug 1328705] [NEW] Other active sessions should be destroyed after changing password

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

Reported by FaisaL Ahmed, http://www.faisalahmed.me/

In Mahara, changing the password doesn't destroys the other sessions which are
logged in with old passwords.
As other sessions is not destroyed, attacker may be still logged in your
account even after changing password, as his session is still
active.. he'll have complete access on your account till that session
expires!
So, your account remains insecure even after the changing of password.

We have 2 options to solve
1.  Delete all active sessions right after an user changes his/her password
2. Facebook solved this issue by adding a process that asks
users whether user want to close all open sessions or not right after
changing password.

** Affects: mahara
     Importance: High
         Status: Confirmed


** Tags: security

** Information type changed from Public to Public Security

** Information type changed from Public Security to Private Security

** Tags removed: session
** Tags added: security

** Description changed:

- Reported by Turzo Ahmed <ondhokarer_rajputra@xxxxxxxxxxx>
+ Reported by FaisaL Ahmed, http://www.faisalahmed.me/
  
  In Mahara, changing the password doesn't destroys the other sessions which are
  logged in with old passwords.
  As other sessions is not destroyed, attacker may be still logged in your
  account even after changing password, as his session is still
  active.. he'll have complete access on your account till that session
  expires!
  So, your account remains insecure even after the changing of password.
  
  We have 2 options to solve
  1.  Delete all active sessions right after an user changes his/her password
  2. Facebook solved this issue by adding a process that asks
  users whether user want to close all open sessions or not right after
  changing password.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1328705

Title:
  Other active sessions should be destroyed after changing password

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Reported by FaisaL Ahmed, http://www.faisalahmed.me/

  In Mahara, changing the password doesn't destroys the other sessions which are
  logged in with old passwords.
  As other sessions is not destroyed, attacker may be still logged in your
  account even after changing password, as his session is still
  active.. he'll have complete access on your account till that session
  expires!
  So, your account remains insecure even after the changing of password.

  We have 2 options to solve
  1.  Delete all active sessions right after an user changes his/her password
  2. Facebook solved this issue by adding a process that asks
  users whether user want to close all open sessions or not right after
  changing password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1328705/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next