Opened 3 weeks ago

Last modified 3 weeks ago

#5499 new defect

Vulnerability Report 1 : Failure to invalidate session on Password Change

Reported by: ather iqbal Owned by: rails-dev@…
Priority: minor Milestone: OSM 0.5
Component: website Version: 2.0
Keywords: check quick and pay me Cc:

Description

Hi team,

i am a security and this time i founded this vulnerability in your website

Vulnerability : Failure to invalidate session on Password Change

i observe that when we change password from one browser in place of session
Expire from other browser its just update password from other browser and
the old session got updated without being logout

Steps to check Session Management issue On password change :

1- login From two browser at a time [ From Chrome browser and From Mozilla
Firefox ]
2- Change password in setting from chrome browser
3- Now Check Mozilla FireFox?
4- Your Session Got Updated in place of expiration

Recommendations:

If Session is Updating From One Browser so Other Should Expire First to
renew session after login

Thanks

Regards:

Ather Iqbal

Change History (1)

comment:1 Changed 3 weeks ago by TomH

  • Priority changed from critical to minor

This bug tracker is no longer in regular use - please use https://github.com/openstreetmap/openstreetmap-website/issues/ for reporting issues.

Perhaps you could explain why you feel this is a vulnerability - the other session was validly authenticated with the password that existed at the time. Presumably the argument is that IF a password is being changed because it has been compromised the old session might have been started by somebody who was not supposed to have been in possession of the password?

The problem is that I don't believe there is any way we can invalidate the session as things stand, because there is no way to find all the sessions for a given user.

Note: See TracTickets for help on using tickets.