search

CuteNews / cutenews-2.0

Cutenews 2.0 Repositary
Other
89 stars 35 forks source link

Found a security issue ! #2

Open imnarendrabhati opened 9 years ago

imnarendrabhati commented 9 years ago

I contact to your team via your support page , but i didnt got response from more then 1 month , so i came here

Provide your email so i can share the details !

CuteNews commented 9 years ago

Dear Narendrabhati,

You can explain all the details using this e-mail.

On Sat, Dec 20, 2014 at 4:58 PM, narendrabhati notifications@github.com wrote:

I contact to your team via your support page , but i didnt got response from more then 1 month , so i came here

Provide your email so i can share the details !

— Reply to this email directly or view it on GitHub https://github.com/CuteNews/cutenews-2.0/issues/2.

Best regards,

CuteNews Support Team.

imnarendrabhati commented 9 years ago

Vulerability Description -

Developers expect that when an end-user clicks on the logout button, and when the server executes the FormsAuthentication.SignOut method on the server-side that the user's session is properly terminated and destroyed so that the user is effectively logged out. The latter is however not the case. Even after issuing the SignOut method, the session is not destroyed on the server side.

Vulerability Impact -

If a session is not properly terminated and destroyed on the application server, then the session is vulnerable to session hijacking. This means that even though the user clicked on the logout button, an attacker may continue working inside the authenticated session.

Every authenticated session is identified by a unique session token. This session token is stored in a cookie in the browser. Because your browser submits this cookie to the server for every page that you request, the web application is able to identify you as a user and can give you access to all your data. However, if an attacker is able to obtain the value of this session token (through various methods which we don't discuss here) then the attacker also has access to your data in the application. 

One would expect that when a user clicks on the logout button that the session token loses its value. This is however not true in ASP.NET's forms authentication session management scheme. Even after logging out, the session token remains valid and the session keep on living on the server side until it times out.

Video POC

http://youtu.be/0CDUu_KZSlw-

imnarendrabhati commented 9 years ago

Is there any update regarding this issue ?

CuteNews commented 9 years ago

Dear Narendrabhati,

Thank you for your report! We're working on a new version of CuteNews, which is going to be released in the nearest future. We will take into account your report about session vulnerability.

On Fri, Feb 20, 2015 at 3:55 PM, narendrabhati notifications@github.com wrote:

Is there any update regarding this issue ?

— Reply to this email directly or view it on GitHub https://github.com/CuteNews/cutenews-2.0/issues/2#issuecomment-75233687.

Best regards,

CuteNews Support Team.

imnarendrabhati commented 9 years ago

Is there any update about fixing !