[announce] SECURITY: unencrypted session storage
Jan Schneider
jan at horde.org
Tue Jul 1 09:37:42 UTC 2014
Hello,
a vulnerability has been discovered in the Horde_Core library versions
2.5.0 to 2.11.1 that may leave sensitive information stored
unencrypted in the user session.
Sensitive information like passwords is usually stored encrypted in
the session storage when using Horde_Core, the base library for all
Horde applications. Due to a typo in the code introduced in version
2.5.0 of this library, that allows to regenerate session IDs without
logging users out, any information that was stored encrypted before
the ID regeneration is stored unencrypted after. By default session
IDs are regenerated after a session has been active for 6 hours. To
exploit this issue, an attacker must have access to the session
storage backend of the system.
Thanks to Thomas Jarosch from Intra2net for discovering and reporting
this vulnerability and for providing a patch to fix it.
--
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject
More information about the announce
mailing list