[Vtigercrm-developers] security issue with multiple vtigers on the same host
Manu urs
manu.k at vtiger.com
Wed Jan 13 15:00:00 GMT 2016
Thanks Alan for notifying, We will check and get back to you.
http://code.vtiger.com/vtiger/vtigercrm/issues/56
Regards,
Manu Urs
On Wed, Jan 13, 2016 at 7:45 PM, Alan Bell <alan.bell at libertus.co.uk> wrote:
> Hi
>
> if you have multiple vtigers on one host then they all share the same
> scope for the PHP session, which means if you have two vtigers configured
> like this:
>
> http://host/foo/index.php
> username=admin, uid=1, password="foo"
>
> http://host/bar/index.php
> username=admin, uid=1, password="bar"
>
> you can log in to foo, then switch your browser URL to go into the vtiger
> called bar and you will be logged in with admin access without knowing the
> password for that system. Works for any matching userid, but we know that
> the admin user always matches so it is easy to demonstrate with that.
>
> This is because the includes/main/WebUI.php doesn't check the session
> application unique id, so it doesn't validate that the session is for the
> current vtiger
> line 39 of includes/main/WebUI.php should be something like:
> if ($userid &&
> vglobal('application_unique_key')==$_SESSION['app_unique_key']) {
>
> if some kind of single sign on between multiple instances is actually the
> desired behavior then make the application unique id in the config.inc.php
> match in both systems.
>
> Alan.
> _______________________________________________
> http://www.vtiger.com/
>
--
Regards,
Manu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20160113/169bbf07/attachment.html>
More information about the vtigercrm-developers
mailing list