|Anonymous | Login||2019-06-26 00:10 EDT|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001294||PacketFence||security||public||2011-10-03 11:52||2011-10-24 20:17|
|Target Version||3.0.2||Fixed in Version||3.0.2|
|Summary||0001294: Session state shared between captive portal and guest management web interfaces|
|Description||The directory specified to store session state in both the captive portal guest self-registration (html/captive-portal/guest-selfregistration.cgi) and guest management (html/admin/guest-management.cgi) web interfaces is the same: '/tmp'. This allows an attacker who has signed in on the captive portal guest self-registration interface to be considered logged in as well to the guest management web interface.|
Both use the "login" parameter in the session: captive-portal/guest-selfregistration.cgi sets it in pf::web::guest::validate_selfregistration, and admin/guest-management.cgi checks it on line 57.
|Tags||No tags attached.|
|fixed in git revision|
|fixed in mtn revision||c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a|
|Attached Files||security-fix-1294-session-sharing.patch [^] (846 bytes) 2011-10-12 15:42 [Show Content]|
Reproduced in the lab. Reducing severity because the session is bound to a remote address and that address will change after a successful authentication in VLAN enforcement (due to the nature of it).
Users of inline enforcement are affected. The feature is quite new so there shouldn't be too many.
Nonetheless it is a great find! Thanks for the report.
Fixed by changing session path to var/session/ (which is what the Web Admin's PHP uses already).
Fix will be released in 3.0.2 shortly.
Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
|This vulnerability has been assigned: CVE-2011-4070.|
|fix released in 3.0.2|
|2011-10-03 11:52||mattd||New Issue|
|2011-10-06 11:47||obilodeau||Status||new => assigned|
|2011-10-06 11:47||obilodeau||Assigned To||=> obilodeau|
|2011-10-12 15:29||obilodeau||Note Added: 0002339|
|2011-10-12 15:29||obilodeau||Severity||major => minor|
|2011-10-12 15:42||obilodeau||File Added: security-fix-1294-session-sharing.patch|
|2011-10-12 15:44||obilodeau||mtn revision||=> c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a|
|2011-10-12 15:44||obilodeau||Note Added: 0002340|
|2011-10-12 15:44||obilodeau||Status||assigned => resolved|
|2011-10-12 15:44||obilodeau||Fixed in Version||=> +1|
|2011-10-12 15:44||obilodeau||Resolution||open => fixed|
|2011-10-17 10:39||obilodeau||Note Added: 0002365|
|2011-10-24 16:45||obilodeau||View Status||private => public|
|2011-10-24 20:15||obilodeau||Target Version||=> 3.0.2|
|2011-10-24 20:15||obilodeau||Note Added: 0002384|
|2011-10-24 20:16||obilodeau||Status||resolved => closed|
|2011-10-24 20:17||obilodeau||Fixed in Version||+1 => 3.0.2|
|Copyright © 2000 - 2012 MantisBT Group|