Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Session] Security Vulnerability #756

Open
rothadamcz opened this issue Oct 24, 2021 · 4 comments
Open

[Session] Security Vulnerability #756

rothadamcz opened this issue Oct 24, 2021 · 4 comments

Comments

@rothadamcz
Copy link

rothadamcz commented Oct 24, 2021
edited
Loading

What are the steps to reproduce this issue?

  1. Setup 2 SourceBan web instances on the same domain.
  2. Create a few admin accounts (different on each instance)
  3. Login to one of the admin accounts on the instance 1.
  4. Open page of instance 2 and you'll see, you are logged in as another account (with the same AID as the account on the instance 1.)

What happens?

When you login to the account on one of the banlists on the same domain, sessions are not separated, so you are automatically logged in on each of them for different users with the same AID.

What were you expecting to happen?

When I log in to the one banlist, I should NOT be logged in on another.

Any logs, error output, etc.?

None

Any other comments?

None

What versions of software are you using?

Operating System: Linux
SourceBans++ Version: 1.6.4
PHP Version: 7.4
MySQL Version: 10.5.8-MariaDB
Link to your project: I preffer not to.
Link to a phpinfo() output: I have no option to access this information.
@rothadamcz
Copy link
Author

rothadamcz commented Oct 24, 2021
edited
Loading

To clarify the problem:
John is logging in to the banlist with address banlist.example.com/csgo/public. John has AID 21.
When John goes to the banlist with address banlist.example.com/csgo/jailbreak he is logged in as user Andrew that also has AID 21.

The problem is that John shouldn't have permissions to access admin panel of Jailbreak banlist because he isn't Jailbreak admin but he can do so, because he has aid saved in the session that is valid for both banlists.

@peace-maker
Copy link
Contributor

You can patch this manually by setting the path of the session cookie to /csgo/public and /csgo/jailbreak respectively.

sourcebans-pp/web/includes/auth/Auth.php

Line 97 in 63637f0

'path' => '/',

sourcebans-pp/web/includes/auth/Auth.php

Line 104 in 63637f0

setcookie('sbpp_auth', $data, $lifetime, '/', $domain, $secure, true);

I'd recommend using different subdomains though since cookie paths tend to be interpreted differently by different browsers.

@rothadamcz
Copy link
Author

rothadamcz commented Mar 9, 2022
edited
Loading

Hi, yes, but it is only temporary fix because user can easily change its cookie path so I was hoping for some longterm solution.

Anyway thanks for your answer.

edit: Domain/subdomain change is not an option.

@peace-maker
Copy link
Contributor

Wait, I misinterpreted this scenario. Are you sharing a database between the two instances or more specifically the sb_login_tokens table? Can you check if the "jti" header field from the sbpp_auth cookie is present in both databases?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peace-maker @rothadamcz