View Issue Details

IDProjectCategoryView StatusLast Update
0015029phplist applicationAuthentication Systempublic01-11-12 17:41
ReporterAntonimo 
PrioritynormalSeveritytweakReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.10.5 
Target Version4.0.xFixed in Version2.11.8 
Summary0015029: Identical Cookies allow login to multiple installations
DescriptionI have two installations of PHPList on the same domain. The first installation is in a sub-directory of the root called "lists" and the second is in a sub-directory called "subscribe".

Each installation uses its own database.

Each installation has different log on details for the admin.

I have tried to log in to each installation using the other's username and password and I cannot log in.

However, once I am logged in, I can substitute the word "lists" for "subscribe" in the URL and get in to the other installation.

As the login is stored in a cookie on my browser, I suspect that this is were the problem is. In fact, I cleared out all cookies then logged in to the first installation - then I opened another browser window to access the second installation. Monitoring the cookies I see that there is only one. When I delete this cookie, I am logged out of both installations.

The serious problem is that logging in to one installation should not give access to the second installation.

The cookie name is PHPSESSID (the default session name)

Should the cookie prefix be determined in the configuration file?
TagsNo tags attached.

Relationships

related to 0014252 new Login with password in cookie fails 
has duplicate 0006506 resolvedmichiel Problem with admin login when using multiple PHPlist installations 
related to 0015403 resolvedmichiel Unexpected transfer to one phplist installation from another 
child of 0010998 new Enhance security 

Activities

h2b2

11-06-08 15:56

manager   ~0049399

Antonimo's findings seem to point to a session ID related security issue that might occur when having multiple installs and multiple admins.

I have therefor asked Antonimo to file this mantis report because I think this should be looked into by the developers.

See also: http://forums.phplist.com/viewtopic.php?t=18285

user3543

11-06-08 16:06

  ~0049401

You are right,H2B2.

CS2

03-04-09 13:44

reporter   ~0050613

I think that storing $installation_name as a session variable, comparing that with the local $installation_name variable in the access check script then logging the user out if they don't match would fix this.

h2b2

06-04-09 05:20

manager   ~0050617

For more info, see http://forums.phplist.com/viewtopic.php?p=61369#61369

h2b2

29-10-09 02:54

manager   ~0050759

For those looking for a workaround solution, you can store administrator sessions in a database table by uncommenting the following setting in config.php:
   $SessionTableName = "phplistsessions";

ref: http://forums.phplist.com/viewtopic.php?f=24&t=28812&p=69478#p69355

michiel

01-11-12 17:41

manager   ~0051834

revision 3396