sourcebans-pp icon indicating copy to clipboard operation
sourcebans-pp copied to clipboard
verified publisher icon sbpp

[Session] Security Vulnerability

Open rothadamcz opened this issue 4 years ago • 4 comments

What are the steps to reproduce this issue?

  1. Setup 2 SourceBan web instances on the same domain.
  2. Create a few admin accounts (different on each instance)
  3. Login to one of the admin accounts on the instance 1.
  4. Open page of instance 2 and you'll see, you are logged in as another account (with the same AID as the account on the instance 1.)

What happens?

When you login to the account on one of the banlists on the same domain, sessions are not separated, so you are automatically logged in on each of them for different users with the same AID.

What were you expecting to happen?

When I log in to the one banlist, I should NOT be logged in on another.

Any logs, error output, etc.?

None

Any other comments?

None

What versions of software are you using?

Operating System: Linux SourceBans++ Version: 1.6.4 PHP Version: 7.4 MySQL Version: 10.5.8-MariaDB Link to your project: I preffer not to. Link to a phpinfo() output: I have no option to access this information.

rothadamcz avatar Oct 24 '21 21:10 rothadamcz

To clarify the problem: John is logging in to the banlist with address banlist.example.com/csgo/public. John has AID 21. When John goes to the banlist with address banlist.example.com/csgo/jailbreak he is logged in as user Andrew that also has AID 21.

The problem is that John shouldn't have permissions to access admin panel of Jailbreak banlist because he isn't Jailbreak admin but he can do so, because he has aid saved in the session that is valid for both banlists.

rothadamcz avatar Oct 24 '21 22:10 rothadamcz

You can patch this manually by setting the path of the session cookie to /csgo/public and /csgo/jailbreak respectively.

https://github.com/sbpp/sourcebans-pp/blob/63637f0d3c4c73805d4fbb484ba431ac7d23b462/web/includes/auth/Auth.php#L97 https://github.com/sbpp/sourcebans-pp/blob/63637f0d3c4c73805d4fbb484ba431ac7d23b462/web/includes/auth/Auth.php#L104

I'd recommend using different subdomains though since cookie paths tend to be interpreted differently by different browsers.

peace-maker avatar Mar 09 '22 09:03 peace-maker

Hi, yes, but it is only temporary fix because user can easily change its cookie path so I was hoping for some longterm solution.

Anyway thanks for your answer.

edit: Domain/subdomain change is not an option.

rothadamcz avatar Mar 09 '22 09:03 rothadamcz

Wait, I misinterpreted this scenario. Are you sharing a database between the two instances or more specifically the sb_login_tokens table? Can you check if the "jti" header field from the sbpp_auth cookie is present in both databases?

peace-maker avatar Mar 09 '22 11:03 peace-maker