PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001294PacketFencesecuritypublic2011-10-03 11:522011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
Summary0001294: Session state shared between captive portal and guest management web interfaces
DescriptionThe directory specified to store session state in both the captive portal guest self-registration (html/captive-portal/guest-selfregistration.cgi) and guest management (html/admin/guest-management.cgi) web interfaces is the same: '/tmp'. This allows an attacker who has signed in on the captive portal guest self-registration interface to be considered logged in as well to the guest management web interface.

Both use the "login" parameter in the session: captive-portal/guest-selfregistration.cgi sets it in pf::web::guest::validate_selfregistration, and admin/guest-management.cgi checks it on line 57.
TagsNo tags attached.
fixed in git revision
fixed in mtn revisionc9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a
Attached Filespatch file icon security-fix-1294-session-sharing.patch [^] (846 bytes) 2011-10-12 15:42 [Show Content]

- Relationships

-  Notes
(0002339)
obilodeau (reporter)
2011-10-12 15:29

Reproduced in the lab. Reducing severity because the session is bound to a remote address and that address will change after a successful authentication in VLAN enforcement (due to the nature of it).

Users of inline enforcement are affected. The feature is quite new so there shouldn't be too many.

Nonetheless it is a great find! Thanks for the report.
(0002340)
obilodeau (reporter)
2011-10-12 15:44

Fixed by changing session path to var/session/ (which is what the Web Admin's PHP uses already).

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
(0002365)
obilodeau (reporter)
2011-10-17 10:39

This vulnerability has been assigned: CVE-2011-4070.
(0002384)
obilodeau (reporter)
2011-10-24 20:15

fix released in 3.0.2

- Issue History
Date Modified Username Field Change
2011-10-03 11:52 mattd New Issue
2011-10-06 11:47 obilodeau Status new => assigned
2011-10-06 11:47 obilodeau Assigned To => obilodeau
2011-10-12 15:29 obilodeau Note Added: 0002339
2011-10-12 15:29 obilodeau Severity major => minor
2011-10-12 15:42 obilodeau File Added: security-fix-1294-session-sharing.patch
2011-10-12 15:44 obilodeau mtn revision => c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a
2011-10-12 15:44 obilodeau Note Added: 0002340
2011-10-12 15:44 obilodeau Status assigned => resolved
2011-10-12 15:44 obilodeau Fixed in Version => +1
2011-10-12 15:44 obilodeau Resolution open => fixed
2011-10-17 10:39 obilodeau Note Added: 0002365
2011-10-24 16:45 obilodeau View Status private => public
2011-10-24 20:15 obilodeau Target Version => 3.0.2
2011-10-24 20:15 obilodeau Note Added: 0002384
2011-10-24 20:16 obilodeau Status resolved => closed
2011-10-24 20:17 obilodeau Fixed in Version +1 => 3.0.2


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker