Security Fix for Session Fixation - huntr.dev #1112
Conversation
Invalid bounty Rate Limiting
Remove persistent sessions after password change
There was a problem hiding this comment.
I'm a bit late, but I've tested this on UF5. It simply doesn't work as intended. Sure, the "remember me" token will be removed from the database, but all PHP sessions will still be active. If you freshly login both browser and call "logout" on the first, the second browser will still be logged in. In fact, it's exactly the same as "login out" manually from the first browser without using "remember me"
However, I do agree there is a need for a function to logout a specific user from all devices.
| // Auto-login the user (without "remember me") | ||
| $user = $passwordReset->user; | ||
| // Create a new session | ||
| $authenticator->login($user); |
There was a problem hiding this comment.
This code is not optimized : Login-in the user to log him out again, to log him in again is not an optimized process.
Note with UF5, the behavior of this page has changed. First, the page is guarded by the GuestGuard middleware, making sure nobody is logged in to access it. It then sends the user back to the login page instead of login him in automatically.
| @@ -162,7 +162,18 @@ | |||
| 'check_username_request' => null, | |||
| 'password_reset_request' => null, | |||
| 'registration_attempt' => null, | |||
| 'sign_in_attempt' => null, | |||
There was a problem hiding this comment.
N.B.: The sign_in_attempt is null on purpose, as it's enabled only on production environment.
| $authenticator->logout(true); | ||
|
|
||
| // Auto-login the user (without "remember me") | ||
| $authenticator->login($user); |
There was a problem hiding this comment.
Same here. Login-in the user to log him out again, to log him in again is not an optimized process.
|
I'm closing this as it's old, an opening #1245 to keep track of the issue. |
https://huntr.dev/users/alromh87 has fixed the Session Fixation vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/staging/bounties/packagist/userfrosting/userfrosting/2/vulnerability.json
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/2-packagist-userfrosting%2Fuserfrosting
⚙️ Description *
Persistent sessions are invalidated after password change.
💻 Technical Description *
Userfost uses
gbirke/remembermefor persistent sessions socleanAllTripletsis called via logout inAuthenticatorclass after password change.🐛 Proof of Concept (PoC) *
🔥 Proof of Fix (PoF) *
After fix persistent session will be invalidated and user will have to login again.
👍 User Acceptance Testing (UAT)
Password can be changed normally