Skip to content

Commit

Permalink
Fix h1 report 176116
Browse files Browse the repository at this point in the history 
Session fixation
----------------

The HackerOne user pavanw3b has reported that Revive Adserver wasn't
properly invalidating the current session when setting a new password
via the forgot password mechanism. That could allow attackers having
access to the session ID to keep the authenticated session alive.

CWE-ID: CWE-384

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 5.9
CVSSv3 Temporal Score: 5.2
  • Loading branch information
@mbeccati
mbeccati committed Jan 30, 2017
1 parent a51ee66 commit b088012
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion lib/OA/Admin/PasswordRecovery.php
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -117,7 +117,9 @@ function handlePost($vars)
if (empty($vars['newpassword']) || empty($vars['newpassword2']) || $vars['newpassword'] != $vars['newpassword2']) { if (empty($vars['newpassword']) || empty($vars['newpassword2']) || $vars['newpassword'] != $vars['newpassword2']) {
$this->displayRecoveryResetForm($vars['id'], $GLOBALS['strNotSamePasswords']); $this->displayRecoveryResetForm($vars['id'], $GLOBALS['strNotSamePasswords']);
} elseif ($this->_dal->checkRecoveryId($vars['id'])) { } elseif ($this->_dal->checkRecoveryId($vars['id'])) {
$userId = $this->_dal->saveNewPasswordAndLogin($vars['id'], $vars['newpassword']); $this->_dal->saveNewPasswordAndLogin($vars['id'], $vars['newpassword']);

phpAds_SessionRegenerateId();
OX_Admin_Redirect::redirect(); OX_Admin_Redirect::redirect();
} else { } else {
$this->displayRecoveryRequestForm($GLOBALS['strPwdRecWrongId']); $this->displayRecoveryRequestForm($GLOBALS['strPwdRecWrongId']);
Expand Down

0 comments on commit b088012

Please sign in to comment.