Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Insecure Permissions of Reusable cookie #717

Closed
Akityo opened this issue Jun 23, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@Akityo
Copy link

commented Jun 23, 2017

Steps to reproduce:

  1. Login with Administrator and get the cookie of administrator

image

  1. Capture Packet and Request for an administrator only page.
    Accessible- [√ ]

image

  1. Now login out and delete all the cookie of administrator

Accessible- [× ]

image

You can see that redirction
But when administrator login again

This cookie can be reuse

image

Accessible- [√ ]

  1. Packet Info
    GET /piwigo/admin.php?page=plugin-LocalFilesEditor HTTP/1.1
    Host: 192.168.233.145
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
    Referer: http://192.168.233.145/piwigo/admin.php?page=plugin-TakeATour
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: pwg_id=8i3dh1pru4mu95g20i6ehajvm3;
    Connection: close

Evironment:

  • Windows XP Professional

  • Apache

  • MySQL

  • PHP 5.4.45

discovered by: topsec(lizhiqiang)

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 26, 2017

Thank you @Akityo for this report.

@modus75 does it look like a bug or a security issue to you?

@modus75

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2017

It depends on what "3. Login out" means. If it's clicking the logout link in piwigo, we definitely have a bug. (or misconfiguration of the server domain and/or path for setting the cookie versus deleting it).
If the link has not been clicked - no bug, normal behaviour

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 29, 2017

@modus75 Hi, i did clicked the logout link in piwigo. you can verify it.

@modus75

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2017

I have just tested. The logout link removes the session data from the database. Even if the cookie is reused, this should recreate a new session data from scratch. (the session data contains login information). So I cannot reproduce...

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

I also tested, like @modus75 did and I also see the session being removed.

So I wonder what @Akityo has been able to do with a "deleted session id" :-/ There is no magic here: if the session is deleted on Piwigo side, you won't magically get administrator access by stealing the session id of an administrator that has logged out.

@Akityo can you give more details, by email, not on Github, about the security issue you have found?

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 30, 2017

@plegall what's your email address. maybe tomorrow i'm back home , send a video to you . @modus75 It make me confuse now , i remamber before post this report ,i had verify this for twice.

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

@Akityo

This comment has been minimized.

Copy link
Author

commented Jul 1, 2017

@plegall @modus75
em... embarrassing..
I had to apologize for the false positives , my bad..
yes , it can't be reproduce..

@plegall

This comment has been minimized.

Copy link
Member

commented Jul 1, 2017

Fine, I close the issue then. Please next time, send an email about security issues :-)

@plegall plegall closed this Jul 1, 2017

@fgeek

This comment has been minimized.

Copy link

commented Oct 7, 2017

CVE-2017-9837 was previously assigned for this issue (not requested by me). I'll ask it to be rejected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.