[Vtigercrm-developers] security issue with multiple vtigers on the same host

Prasad prasad at vtiger.com
Wed Jan 13 19:03:51 GMT 2016


Session cookie path needs tuning
<http://code.vtiger.com/vtiger/vtigercrm/issues/56#note_406>.

--
FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm> I
LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
<https://blogs.vtiger.com> I Website <https://www.vtiger.com/>

On Wed, Jan 13, 2016 at 8:30 PM, Manu urs <manu.k at vtiger.com> wrote:

> Thanks  Alan for notifying, We will check and get back to you.
>
> http://code.vtiger.com/vtiger/vtigercrm/issues/56
>
> Regards,
> Manu Urs
>
> On Wed, Jan 13, 2016 at 7:45 PM, Alan Bell <alan.bell at libertus.co.uk>
> wrote:
>
>> Hi
>>
>> if you have multiple vtigers on one host then they all share the same
>> scope for the PHP session, which means if you have two vtigers configured
>> like this:
>>
>> http://host/foo/index.php
>> username=admin, uid=1, password="foo"
>>
>> http://host/bar/index.php
>> username=admin, uid=1, password="bar"
>>
>> you can log in to foo, then switch your browser URL to go into the vtiger
>> called bar and you will be logged in with admin access without knowing the
>> password for that system. Works for any matching userid, but we know that
>> the admin user always matches so it is easy to demonstrate with that.
>>
>> This is because the includes/main/WebUI.php doesn't check the session
>> application unique id, so it doesn't validate that the session is for the
>> current vtiger
>> line 39 of includes/main/WebUI.php should be something like:
>>             if ($userid &&
>> vglobal('application_unique_key')==$_SESSION['app_unique_key']) {
>>
>> if some kind of single sign on between multiple instances is actually the
>> desired behavior then make the application unique id in the config.inc.php
>> match in both systems.
>>
>> Alan.
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
>
> --
> Regards,
> Manu
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20160114/dd4e05a6/attachment-0001.html>


More information about the vtigercrm-developers mailing list