PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001294 | PacketFence | security | public | 2011-10-03 11:52 | 2011-10-24 20:17 |
|
| Reporter | mattd | |
| Assigned To | obilodeau | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | devel | |
| Target Version | 3.0.2 | Fixed in Version | 3.0.2 | |
| fixed in git revision | |
| fixed in mtn revision | c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a |
|
| Summary | 0001294: Session state shared between captive portal and guest management web interfaces |
| Description | The directory specified to store session state in both the captive portal guest self-registration (html/captive-portal/guest-selfregistration.cgi) and guest management (html/admin/guest-management.cgi) web interfaces is the same: '/tmp'. This allows an attacker who has signed in on the captive portal guest self-registration interface to be considered logged in as well to the guest management web interface.
Both use the "login" parameter in the session: captive-portal/guest-selfregistration.cgi sets it in pf::web::guest::validate_selfregistration, and admin/guest-management.cgi checks it on line 57. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  security-fix-1294-session-sharing.patch (846) 2011-10-12 15:42
https://www.packetfence.org/bugs/file_download.php?file_id=111&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-10-03 11:52 | mattd | New Issue | |
| 2011-10-06 11:47 | obilodeau | Status | new => assigned |
| 2011-10-06 11:47 | obilodeau | Assigned To | => obilodeau |
| 2011-10-12 15:29 | obilodeau | Note Added: 0002339 | |
| 2011-10-12 15:29 | obilodeau | Severity | major => minor |
| 2011-10-12 15:42 | obilodeau | File Added: security-fix-1294-session-sharing.patch | |
| 2011-10-12 15:44 | obilodeau | mtn revision | => c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a |
| 2011-10-12 15:44 | obilodeau | Note Added: 0002340 | |
| 2011-10-12 15:44 | obilodeau | Status | assigned => resolved |
| 2011-10-12 15:44 | obilodeau | Fixed in Version | => +1 |
| 2011-10-12 15:44 | obilodeau | Resolution | open => fixed |
| 2011-10-17 10:39 | obilodeau | Note Added: 0002365 | |
| 2011-10-24 16:45 | obilodeau | View Status | private => public |
| 2011-10-24 20:15 | obilodeau | Target Version | => 3.0.2 |
| 2011-10-24 20:15 | obilodeau | Note Added: 0002384 | |
| 2011-10-24 20:16 | obilodeau | Status | resolved => closed |
| 2011-10-24 20:17 | obilodeau | Fixed in Version | +1 => 3.0.2 |
|
Notes |
|
|
|
Reproduced in the lab. Reducing severity because the session is bound to a remote address and that address will change after a successful authentication in VLAN enforcement (due to the nature of it).
Users of inline enforcement are affected. The feature is quite new so there shouldn't be too many.
Nonetheless it is a great find! Thanks for the report. |
|
|
|
|
Fixed by changing session path to var/session/ (which is what the Web Admin's PHP uses already).
Fix will be released in 3.0.2 shortly.
Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected. |
|
|
|
|
|
This vulnerability has been assigned: CVE-2011-4070. |
|
|
|
|
|