Bug #35023 | I can edit anyones profile | ||
---|---|---|---|
Submitted: | 4 Mar 2008 4:28 | Modified: | 10 Mar 2008 23:36 |
Reporter: | Diego Medina | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Websites: MySQLForge | Severity: | S1 (Critical) |
Version: | forge1.mysql.com | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | login |
[4 Mar 2008 4:28]
Diego Medina
[5 Mar 2008 6:05]
Giuseppe Maxia
Diego, Thanks for this analysis. We are aware of the problem. The cookie is not encrypted, due to a bug in the library we are using for this purpose. Jay will find an alternative. Encrypting the cookie is encrypted will fix the vulnerability.
[9 Mar 2008 2:46]
Diego Medina
Hi Giuseppe, Out of curiosity, would the encryption be the same kind that is now present on the forge.mysql.com site?
[10 Mar 2008 13:11]
Jay Pipes
Hi Diego! It is similar, but not the same. The problem with the new Forge1.mysql.com server is a bug in Ubuntu's libmcrypt and php. You can see the bug here on Launchpad: https://bugs.launchpad.net/ubuntu/+source/php-mcrypt/+bug/130181 I'm working on a workaround for this. Thanks, Jay
[10 Mar 2008 23:36]
Jay Pipes
The cryptography function have been rewritten to use PEAR::Crypt_Blowfish, which apparently does not suffer from the hanging bug on Ubuntu servers. Cookie session information is now completely encrypted. The cookie version has been incremented so next time anyone accesses the site, they will immediately be logged out and their session destroyed so that a new encrypted session can be made. FIXED in r446-450