egbot
commented
7 years ago Added encryption of SymbiotaBase and SymbiotaRights cookies. There has not been much hacker interest in collection data, but at least this makes it harder for some bored hacker to raise havoc. Authentication model still needs to be reworked.
dshorthouse
https://github.com/Symbiota/Symbiota/blob/master/config/symbbase.php#L53 makes reference to global $_COOKIE items SymbiotaBase & SymbiotaRights. Without much effort, one can spoof these with a cookie editor and gain access to pages and functions that ordinarily require authentication. I won't explain here how that can be done but can follow-up via email if you want specifics. What I suggest is that cookie values be encrypted prior to sending to the client then that hash be used to look-up a user. This is far from perfect but at the very least will minimize user spoofing & permission escalation through a bit of obfuscation.