Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.6.2 Security issue? Cached login. Correction request #412

Open
BobDCoder opened this issue Aug 5, 2019 · 3 comments

Comments

@BobDCoder
Copy link

commented Aug 5, 2019

It seems that 1.6.2 has a cache security issue that is active. In such I am reluctant to post the issue here as I am sure all eyes are watching. But I consider it a serious issue only to the point of the end user it targeted by a web hacker that might be able to access the pc's cached data stream.

When going to the admin page (/owa/index.php) via web host and successfully logging in, you can choose to log out and the log in screen my or may not reappear depending on cached data page.

The browsers cache holds the prior session state, and the log out does not clear that log in session to a logged out state. In such you can bypass the log in by using the back button, or in some instances,....
by starting to typing in the url to the login page
( https://yourdomain.com/owa/index.php) in the browsers url bar and the auto fill feature (history) will suggest the prior session, and seems to insist you use that suggestion. In such it will load a prior (logged in) live session and you continue to have access even though you previously logged out.

This is wrong! A user should be forced to log back in after a log out, and not depending on the data cached or url stream data provided in the url. I noticed this issue while I was having an issue in setting up and activating SSl on a site, sometimes active other times not, or a false secure..... but that is beside the point.

My suggestion is to the developer gods of OWA: to create a session timer, id ,guid, time stamp, idle state time out, etc, or other for the log in log out, whatever is necessary; so that the state of the log in is cleared and forces the user to log back in.

For users. you have to close your browser and restart it. Also make sure that your browser settings are set to clear cookies and data when you exit a page as well as when you close the browser.

@padams

This comment has been minimized.

Copy link
Owner

commented Aug 5, 2019

@BobDCoder

This comment has been minimized.

Copy link
Author

commented Aug 5, 2019

Sorry if I sounded like a butt. I have been pulling doubles and tend to sound blunt and irate without intents.

Respectfully:
"_

When the user clicks the logout link in the admin interface it sends them to a php script that deletes the owa_p cookie — which in turn forces the user to re-authenticate (via login) if they attempt to access a new admin page without that cookie present.

_"

In my case it did not. maybe I had too many tabs open.

The issue and step by step is just as I explained below. I don't know if its my browser "Firfox 68.0.1 64bit or ubuntu 16xxx OS " cache, or if its something else. However, I was able to duplicate replicate the issue many times on my pc and browser without a hitch. Btw, I have FireFox security set to strict if that helps. Never manually cleared the cache and history and gave it another try though but I did close once and reopened, so it might be a cookie remaining behind. I don't know. but I freaked as that seemed to prompt my title (please note the ? in it as I didn't want to alarm).

process

  1. go to home page, https://mySite.com then select and copy the url.
  2. Then open a new tab and paste the url open a https://mySite.com then type in /owa/install.php in new tab as to navigate to the install.---Ok
    Note: Before starting the install, I usually open a 3rd tab and go to my web host and log in as to monitor the progress or get info "db host, dbname" ...and whatever else I want to do. via copy paste so there is no typeo's or error/mistake.
  3. Switch tabs back to owa install and start install and allow to finish and take you to the admin set up page.
  4. set admin password and log in. ----- ok
  5. generate and copy java/php-script for pages. ---ok
  6. Log out of admin and see login page load--- Ok
  7. Close log in page/tab #3. ---- Done/gone
    Note: (two other tabs are still open)
    tab # 1. https://mySite.com/**index.php***
    #2. https://myWebHost.com/1234*&(&(*++++%(&&)^^^)_........bla bla blah.
    6.Open new tab in firefox (Tab#3), and manually start to type in the url and path to owa index.php, (firefox starts to auto complete the url). thus around typing
    https://yourHost/owa/i**n**..... here's where firefox auto fills the url to the prior login data.
    7, hit enter.
    8.page loads to previous log in and there is full access to the owa Admin... no log in necessary.

As an alternative . I have logged out then used the back arrow to test this, and that also allowed me access without having to use the admin and password.

typing this, I just noticed, I have Home(non login) index.php open, and /owa/index.php open and speculate that it relates the two (logic error) and keeps the session open?

After being awake 25 hrs straight, I have to sign off, but that is about the best tech doc I can manage at the moment. I will check back in after I hibernated for about 18 hours.

I plan on reinstalling Firfox, owa, and new db, just to make sure its not something I have done wrong.. but in this state of mind... that is highly likely. Just making deadlines and
Hope this helps .

@padams

This comment has been minimized.

Copy link
Owner

commented Aug 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.