View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015029||phpList 3 application||Authentication System||public||11-06-08 14:43||02-10-18 20:06|
|Target Version||Fixed in Version||2.11.8|
|Summary||0015029: Identical Cookies allow login to multiple installations|
|Description||I have two installations of PHPList on the same domain. The first installation is in a sub-directory of the root called "lists" and the second is in a sub-directory called "subscribe".|
Each installation uses its own database.
Each installation has different log on details for the admin.
I have tried to log in to each installation using the other's username and password and I cannot log in.
However, once I am logged in, I can substitute the word "lists" for "subscribe" in the URL and get in to the other installation.
As the login is stored in a cookie on my browser, I suspect that this is were the problem is. In fact, I cleared out all cookies then logged in to the first installation - then I opened another browser window to access the second installation. Monitoring the cookies I see that there is only one. When I delete this cookie, I am logged out of both installations.
The serious problem is that logging in to one installation should not give access to the second installation.
The cookie name is PHPSESSID (the default session name)
Should the cookie prefix be determined in the configuration file?
|Tags||No tags attached.|
|related to||0014252||new||Login with password in cookie fails|
|has duplicate||0006506||resolved||michiel||Problem with admin login when using multiple PHPlist installations|
|related to||0015403||resolved||michiel||Unexpected transfer to one phplist installation from another|
|related to||0019441||new||xheni||Open Login|
|child of||0010998||new||Enhance security|
Antonimo's findings seem to point to a session ID related security issue that might occur when having multiple installs and multiple admins.
I have therefor asked Antonimo to file this mantis report because I think this should be looked into by the developers.
See also: http://forums.phplist.com/viewtopic.php?t=18285
|You are right,H2B2.|
||I think that storing $installation_name as a session variable, comparing that with the local $installation_name variable in the access check script then logging the user out if they don't match would fix this.|
||For more info, see http://forums.phplist.com/viewtopic.php?p=61369#61369|
For those looking for a workaround solution, you can store administrator sessions in a database table by uncommenting the following setting in config.php:
$SessionTableName = "phplistsessions";