View Issue Details

IDProjectCategoryView StatusLast Update
0019441phpList 3 applicationAuthentication Systempublic01-11-18 14:21
Reporterale-smile 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version3.3.4 - RC3 
Target VersionFixed in Version 
Summary0019441: Open Login
DescriptionWhen there are more phplist instance on the same server, by logging on one of the instance you can enter without password in the others.
Steps To Reproduce- open login page to one instance (example: http://server/install1/admin)
- enter user name and password
- open another tab on the same browser
- open another instance (example: http://server/install2/admin)

install2 don't ask the password and it's possible to access to the admin area.
TagsNo tags attached.

Relationships

related to 0015029 resolvedmichiel Identical Cookies allow login to multiple installations 

Activities

michiel

02-10-18 19:32

manager   ~0061186


Hmm, interesting. It would be good to verify this. It's quite possible it works when eg the logins are the same (username and password) as we store and verify the password hash in the session. Once the login details are different this should not work, but it will be good to check.

It can probably be resolved by setting a different cookie per installation. We should specifically set something like "phpList-[Installation]".

duncanc

02-10-18 20:00

updater   ~0061189

This issue or at least something very similar was raised in the past https://mantis.phplist.org/view.php?id=15029

Then the cause was identified to be using the same name for the session cookie in each installation, i.e PHPSESSID.
Using a unique session name for each installation should resolve this.

michiel

02-10-18 20:07

manager   ~0061190

Thanks for the reference Duncan.

xheni

02-10-18 22:27

administrator   ~0061193

Due to the way PHP sessions work, a valid session for application A can also be used for application B. PHP has no way to determine the scope of a session automatically.
Changing the session name won't resolve this because you can edit the cookie name of the instance A in the browser to be equal to the one of instance B and you would still be logged in.
If you run multiple PHP apps, it would be recommended to set a custom session save path per application to avoid conflicts.
That said, I will look into hardening this further.