Vulnerability Report 1 : Failure to invalidate session on Password Change #5497
Comments
|
Author: TomH This bug tracker is no longer in regular use - please use https://github.com/openstreetmap/openstreetmap-website/issues/ for reporting issues. Perhaps you could explain why you feel this is a vulnerability - the other session was validly authenticated with the password that existed at the time. Presumably the argument is that IF a password is being changed because it has been compromised the old session might have been started by somebody who was not supposed to have been in possession of the password? The problem is that I don't believe there is any way we can invalidate the session as things stand, because there is no way to find all the sessions for a given user. |
Reporter: ather iqbal
[Submitted to the original trac issue database at 2.34pm, Friday, 7th September 2018]
Hi team,
i am a security and this time i founded this vulnerability in your website
Vulnerability : Failure to invalidate session on Password Change
i observe that when we change password from one browser in place of session
Expire from other browser its just update password from other browser and
the old session got updated without being logout
Steps to check Session Management issue On password change :
1- login From two browser at a time [ From Chrome browser and From Mozilla
Firefox ]
2- Change password in setting from chrome browser
3- Now Check Mozilla FireFox
4- Your Session Got Updated in place of expiration
Recommendations:
If Session is Updating From One Browser so Other Should Expire First to
renew session after login
Thanks
Regards:
Ather Iqbal
The text was updated successfully, but these errors were encountered: