search

javahuang / SurveyKing

Make a better survey system.
https://surveyking.cn
MIT License
3.34k stars 506 forks source link

There is a logout logic vulnerability in the background #7

Closed kpa1on closed 2 years ago

kpa1on commented 2 years ago

Version:v0.2.0 First, log in to the background normally and send query requests. Pay attention to cookies

image Then click the exit login button. At this time, the back-end code does not delete the user's session, but just jumps to the login page. You can see that the requested data can still be obtained normally with the previous cookie. Then the attacker can log in to the system again with the help of the browser cache when the user exits.

image Repair suggestion: when exiting the login, delete the user's session first, and then jump to the login page.

javahuang commented 2 years ago

@l2sec thanks, fixed https://github.com/javahuang/SurveyKing/commit/b637feda118dd5a6db142b2705b2d55ffbfb4b48

The backend uses JWT. Currently, I don't want to use additional storage, such as a blacklist mechanism, just delete the token cookie from server now.