phplist

NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1


View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015029phplist applicationAuthentication Systempublic11-06-08 15:4301-11-12 17:41
ReporterAntonimo 
PrioritynormalSeveritytweakReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.10.5 
Target Version4.0.xFixed in Version2.11.8 
Summary0015029: Identical Cookies allow login to multiple installations
DescriptionI have two installations of PHPList on the same domain. The first installation is in a sub-directory of the root called "lists" and the second is in a sub-directory called "subscribe".

Each installation uses its own database.

Each installation has different log on details for the admin.

I have tried to log in to each installation using the other's username and password and I cannot log in.

However, once I am logged in, I can substitute the word "lists" for "subscribe" in the URL and get in to the other installation.

As the login is stored in a cookie on my browser, I suspect that this is were the problem is. In fact, I cleared out all cookies then logged in to the first installation - then I opened another browser window to access the second installation. Monitoring the cookies I see that there is only one. When I delete this cookie, I am logged out of both installations.

The serious problem is that logging in to one installation should not give access to the second installation.

The cookie name is PHPSESSID (the default session name)

Should the cookie prefix be determined in the configuration file?
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to 0014252new Login with password in cookie fails 
has duplicate 0006506resolvedmichiel Problem with admin login when using multiple PHPlist installations 
related to 0015403resolvedmichiel Unexpected transfer to one phplist installation from another 
child of 0010998new Enhance security 

-  Notes
(0049399)
h2b2 (manager)
11-06-08 16:56

Antonimo's findings seem to point to a session ID related security issue that might occur when having multiple installs and multiple admins.

I have therefor asked Antonimo to file this mantis report because I think this should be looked into by the developers.

See also: http://forums.phplist.com/viewtopic.php?t=18285 [^]
(0049401)
user3543
11-06-08 17:06

You are right,H2B2.
(0050613)
CS2 (reporter)
03-04-09 14:44

I think that storing $installation_name as a session variable, comparing that with the local $installation_name variable in the access check script then logging the user out if they don't match would fix this.
(0050617)
h2b2 (manager)
06-04-09 06:20

For more info, see http://forums.phplist.com/viewtopic.php?p=61369#61369 [^]
(0050759)
h2b2 (manager)
29-10-09 02:54

For those looking for a workaround solution, you can store administrator sessions in a database table by uncommenting the following setting in config.php:
   $SessionTableName = "phplistsessions";

ref: http://forums.phplist.com/viewtopic.php?f=24&t=28812&p=69478#p69355 [^]
(0051834)
michiel (manager)
01-11-12 17:41

revision 3396


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker