Security flaw
Posted by elmotard
|
Security flaw August 05, 2022 05:55AM |
Registered: 7 years ago Posts: 21 |
Hello,
I did receive an email about a security flaw in Phorum (I did send previously an email to phorum developer about it, few months ago).
---
I Hope you are well, as an independent security researcher I have found some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we request a forgot password link it updates the session instead of expiration. If an account is logged in some account and the password reset link is used the other account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in another browser.
3. You will notice that the password will be changed successfully and the other browser will still be active with the account you opened in it.
Impact:
If some account is logged in in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.
Recommendations:
It should expire immediately when the password is changed.
---
any idea on how to fix it ?
my version is version 5.2.19 but as the response from the phorum developper, it has not been fixed since then.
Thank you
I did receive an email about a security flaw in Phorum (I did send previously an email to phorum developer about it, few months ago).
---
I Hope you are well, as an independent security researcher I have found some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we request a forgot password link it updates the session instead of expiration. If an account is logged in some account and the password reset link is used the other account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in another browser.
3. You will notice that the password will be changed successfully and the other browser will still be active with the account you opened in it.
Impact:
If some account is logged in in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.
Recommendations:
It should expire immediately when the password is changed.
---
any idea on how to fix it ?
my version is version 5.2.19 but as the response from the phorum developper, it has not been fixed since then.
Thank you
|
Re: Security flaw August 05, 2022 09:28AM |
Admin Registered: 19 years ago Posts: 575 |
The question is: why does this not work?
include/api/user . php ( around line 119)
include/api/user . php ( around line 119)
/**
* Function call parameter, which tells {@link phorum_api_user_session_create()}
* that session ids have to be reset to new values as far as that is sensible
* for a newly logged in user.
*/
define('PHORUM_SESSID_RESET_LOGIN', 1);
/**
* Function call parameter, which tells {@link phorum_api_user_session_create()}
* that all session ids have to be reset to new values. This is for example
* appropriate after a user changed the password (so active sessions on
* other computers or browsers will be ended).
*/
define('PHORUM_SESSID_RESET_ALL', 2);
/**
|
Re: Security flaw August 18, 2022 03:20PM |
Registered: 7 years ago Posts: 21 |
|
Re: Security flaw August 18, 2022 04:06PM |
Admin Registered: 19 years ago Posts: 575 |
You would need to do something that requires the user to be logged in. Most message boards don't check for credentials (session) again until an action that requires a good login.
What happens in the browser with the _old login if you access something like the user control panel, or post a message? (Assuming posting a message requires a current session and logged in user (set in the admin)).
or
Try to post a message from the browser that should not work.
If you are just changing pages, they could be in the browser cache.
What happens in the browser with the _old login if you access something like the user control panel, or post a message? (Assuming posting a message requires a current session and logged in user (set in the admin)).
or
Try to post a message from the browser that should not work.
If you are just changing pages, they could be in the browser cache.
Sorry, only registered users may post in this forum.