mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[CVE-2019-12203] Session fixation in "change password" form
A potential account hijacking may happen if an attacker has physical access to victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability. Requires the victim to click the password reset link sent to their email. If all the above happens, attackers may reset the password before the actual user does that.
This commit is contained in:
parent
1f92b21a04
commit
eccfa9b10d
@ -217,7 +217,6 @@ class Session
|
|||||||
*/
|
*/
|
||||||
public function init(HTTPRequest $request)
|
public function init(HTTPRequest $request)
|
||||||
{
|
{
|
||||||
|
|
||||||
if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
|
if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
|
||||||
$this->start($request);
|
$this->start($request);
|
||||||
}
|
}
|
||||||
@ -634,4 +633,16 @@ class Session
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Regenerate session id
|
||||||
|
*
|
||||||
|
* @internal This is for internal use only. Isn't a part of public API.
|
||||||
|
*/
|
||||||
|
public function regenerateSessionId()
|
||||||
|
{
|
||||||
|
if (!headers_sent()) {
|
||||||
|
session_regenerate_id(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -158,6 +158,7 @@ class ChangePasswordHandler extends RequestHandler
|
|||||||
Injector::inst()->get(IdentityStore::class)->logOut();
|
Injector::inst()->get(IdentityStore::class)->logOut();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->getRequest()->getSession()->regenerateSessionId();
|
||||||
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
|
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
|
||||||
$this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token));
|
$this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token));
|
||||||
}
|
}
|
||||||
|
@ -98,6 +98,7 @@ class SessionAuthenticationHandler implements AuthenticationHandler
|
|||||||
$file = '';
|
$file = '';
|
||||||
$line = '';
|
$line = '';
|
||||||
|
|
||||||
|
// TODO: deprecate and use Session::regenerateSessionId
|
||||||
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
|
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
|
||||||
// There's nothing we can do about this, because it's an operating system function!
|
// There's nothing we can do about this, because it's an operating system function!
|
||||||
if (!headers_sent($file, $line)) {
|
if (!headers_sent($file, $line)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user