-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Session] Security Vulnerability #756
Comments
To clarify the problem: The problem is that John shouldn't have permissions to access admin panel of Jailbreak banlist because he isn't Jailbreak admin but he can do so, because he has aid saved in the session that is valid for both banlists. |
You can patch this manually by setting the sourcebans-pp/web/includes/auth/Auth.php Line 97 in 63637f0
sourcebans-pp/web/includes/auth/Auth.php Line 104 in 63637f0
I'd recommend using different subdomains though since cookie paths tend to be interpreted differently by different browsers. |
Hi, yes, but it is only temporary fix because user can easily change its cookie path so I was hoping for some longterm solution. Anyway thanks for your answer. edit: Domain/subdomain change is not an option. |
Wait, I misinterpreted this scenario. Are you sharing a database between the two instances or more specifically the |
What are the steps to reproduce this issue?
What happens?
When you login to the account on one of the banlists on the same domain, sessions are not separated, so you are automatically logged in on each of them for different users with the same AID.
What were you expecting to happen?
When I log in to the one banlist, I should NOT be logged in on another.
Any logs, error output, etc.?
None
Any other comments?
None
What versions of software are you using?
Operating System: Linux
SourceBans++ Version: 1.6.4
PHP Version: 7.4
MySQL Version: 10.5.8-MariaDB
Link to your project: I preffer not to.
Link to a phpinfo() output: I have no option to access this information.
The text was updated successfully, but these errors were encountered: