[CVE-2019-12203] Session fixation in "change password" form

A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
This commit is contained in:
Serge Latyntcev 2019-09-17 09:09:59 +12:00 committed by Aaron Carlino
parent afcd966740
commit a86093fee6

View File

@ -719,6 +719,12 @@ class Security extends Controller implements TemplateGlobalProvider {
$curMember->logOut(); $curMember->logOut();
} }
if (!headers_sent()) {
// To avoid a potential session fixation attack
// we're refreshing the session id so that it's
// always new and random for every authentication
session_regenerate_id(true);
}
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm. // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t'])); Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));