Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Bug - Users whose password have been changed can still access gitblit #657

Closed
gitblit opened this issue Aug 12, 2015 · 3 comments
Closed

Security Bug - Users whose password have been changed can still access gitblit #657

gitblit opened this issue Aug 12, 2015 · 3 comments
Assignees
@gitblit
Labels
🐱 Defect Priority-Medium Status-Done
Milestone
1.4.0

Comments

@gitblit
Copy link
Collaborator

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 361

What steps will reproduce the problem?
1. Login as user Admin to gitblit on Firefox
2. Login as user Admin to gitblit on Chrome and change password for Admin user
3. You still have full access under the cookies on Firefox even though password has
been changed.

What is the expected output? What do you see instead?
Users whose passwords have changed can still connect and make changes to their own
account if they have not logged out or deleted their cookies.

What version of the product are you using? On what operating system?
Current Release 1.3.2 on Windows Server 2012 and CentOS 6.4

Please provide any additional information below.
If an admin user leaves an organization but if he had accessed the gitblit server through
his browser at home he will still be able to access gitblit even after his password
has been changed and will have the ability to change back the admin password and create
havoc on the server.

Reported by ram@goodfreebooks.com on 2014-01-22 06:45:27
@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

You are right.  The cookie has not been invalidated but it should be.  I'll get that
patched.

The session is a little more complex.  I don't think I can invalidate another user's
session directly.  I've been planning on introducing a "disabled" flag for an account
so the user data is retained, but authentications would fail.  I think that would help
here as I already refresh the UserModel in the session on each request to check for
new/removed repo permissions.  It wouldn't be hard to check for the disabled flag at
the same time.

Reported by James.Moger on 2014-01-22 13:04:31

  • Status changed: Accepted
  • Labels added: Milestone-1.4.0

@gitblit gitblit self-assigned this Aug 12, 2015
@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

Fix has been implemented and merged to master.  Sessions are checked on each page request
for cookie changes so it should immediately invalidate the user session.  Additionally,
I have set all newly generated cookies to expire 7 days after generation.

Reported by James.Moger on 2014-01-28 18:22:42

  • Status changed: Queued

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

1.4.0 released.

Reported by James.Moger on 2014-03-09 18:06:21

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix modified the milestone: 1.4.0 Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gitblit gitblit

Labels
🐱 Defect Priority-Medium Status-Done
Projects
None yet
Milestone
1.4.0
Development

No branches or pull requests
2 participants
@gitblit @flaix