mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #45374
Re: [Bug 1363873] Re: Session Management Issue- Session is not invalidating after password change
Is the CVE I'd confirmed for this? Is this CVE ID allocated to me?
On Nov 8, 2017 9:24 AM, "Kristina Hoeppner" <1363873@xxxxxxxxxxxxxxxxxx>
wrote:
> ** CVE added: https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=2017-1000136
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1363873
>
> Title:
> Session Management Issue- Session is not invalidating after password
> change
>
> Status in Mahara:
> Fix Released
> Status in Mahara 1.10 series:
> Fix Released
> Status in Mahara 1.8 series:
> Fix Released
> Status in Mahara 1.9 series:
> Fix Released
> Status in Mahara 15.04 series:
> Fix Released
>
> Bug description:
> Hi Security Team,
>
> I have discovered the session management issue on the domain
> https://mahara.org/
>
> Description of the issue-
>
> The application does not invalidate the previous session once the
> password is changed by the legitimate user.
>
> How to reproduce?-
>
> 1. Login in the application using https://mahara.org/ and login into
> the application.
> 2. Lets assume application user's account is compromised so he wants to
> change his password, he will navigate to forgot password page and will
> change his password.
> 3. Application user is able to change his password but it was observed
> that still the previous session was not invalidated and i was actually able
> to browse the application from both the sessions.
>
> Impact- If the application user's account is compromised, he will simply
> change his password but if the previous session is not invalidated there is
> no use of changing the password.
> Please let me know if you need video PoC for this.
>
> Remediation- Invalidate the previous session once the password has
> been changed and enforce the application user to relogin in the
> application.
>
> Thanks and Regards,
> Abhishek Dashora
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions
>
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1363873
Title:
Session Management Issue- Session is not invalidating after password
change
Status in Mahara:
Fix Released
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 1.8 series:
Fix Released
Status in Mahara 1.9 series:
Fix Released
Status in Mahara 15.04 series:
Fix Released
Bug description:
Hi Security Team,
I have discovered the session management issue on the domain
https://mahara.org/
Description of the issue-
The application does not invalidate the previous session once the
password is changed by the legitimate user.
How to reproduce?-
1. Login in the application using https://mahara.org/ and login into the application.
2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password.
3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions.
Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password.
Please let me know if you need video PoC for this.
Remediation- Invalidate the previous session once the password has
been changed and enforce the application user to relogin in the
application.
Thanks and Regards,
Abhishek Dashora
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions
References
