[announce] SECURITY: unencrypted session storage

Jan Schneider jan at horde.org
Tue Jul 1 09:37:42 UTC 2014


a vulnerability has been discovered in the Horde_Core library versions  
2.5.0 to 2.11.1 that may leave sensitive information stored  
unencrypted in the user session.

Sensitive information like passwords is usually stored encrypted in  
the session storage when using Horde_Core, the base library for all  
Horde applications. Due to a typo in the code introduced in version  
2.5.0 of this library, that allows to regenerate session IDs without  
logging users out, any information that was stored encrypted before  
the ID regeneration is stored unencrypted after. By default session  
IDs are regenerated after a session has been active for 6 hours. To  
exploit this issue, an attacker must have access to the session  
storage backend of the system.

Thanks to Thomas Jarosch from Intra2net for discovering and reporting  
this vulnerability and for providing a patch to fix it.

Jan Schneider
The Horde Project

More information about the announce mailing list