Prevent SSO fixation attacks against WebGUI by modifying Operation/SSO to log the user in as the user with a different session, and to require a flag in the config file to enable it. This feature will be removed in WebGUI 8. Fixes bug #12004.
This commit is contained in:
Colin Kuskie
parent
c65fd1946a
commit
6f34c25e82
4 changed files with 20 additions and 3 deletions
|
|
@ -27,6 +27,7 @@
|
|||
- fixed #11976: Use Container URL in search gives user Permission Denied
|
||||
- fixed #11985: Search.pl should warn on bad assets
|
||||
- fixed #12008: Activity CleanLoginHistory is too slow
|
||||
- fixed #12004: SSO operation vulnerable to session fixation attacks
|
||||
|
||||
7.10.6
|
||||
- fixed #11974: Toolbar icons unclickable in Webkit using HTML5
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ my $session = start(); # this line required
|
|||
# upgrade functions go here
|
||||
addEmailIndexToProfile( $session );
|
||||
addIndecesToUserLoginLog($session);
|
||||
addSSOOptionToConfigs($session);
|
||||
|
||||
finish($session); # this line required
|
||||
|
||||
|
|
@ -46,6 +47,15 @@ finish($session); # this line required
|
|||
# print "DONE!\n" unless $quiet;
|
||||
#}
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
# Add an index to the userProfileData table for email lookups
|
||||
sub addSSOOptionToConfigs {
|
||||
my $session = shift;
|
||||
print "\tAdding SSO flag to config file to enable the feature... " unless $quiet;
|
||||
$session->config->set('enableSimpleSSO', 0);
|
||||
print "DONE!\n" unless $quiet;
|
||||
}
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
# Add an index to the userProfileData table for email lookups
|
||||
sub addEmailIndexToProfile {
|
||||
|
|
|
|||
|
|
@ -1097,6 +1097,9 @@
|
|||
# An array of SPAM words. Used in the Post and WikiPage to block spam by sending the asset directly
|
||||
# to the trash.
|
||||
"spamStopWords" : [
|
||||
]
|
||||
],
|
||||
|
||||
# A flag to enable a very simple SSO mechanism using sessionIds.
|
||||
"enableSimpleSSO" : 0
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,12 +26,15 @@ TODO
|
|||
|
||||
=head2 www_ssoViaSessionId
|
||||
|
||||
TODO: DOCUMENT ME
|
||||
Allows a user to login as another user, by referencing that user's sessionId. Requires that
|
||||
sessionId is passed as a form or URL parameter. It does NOT duplicate the original user's session,
|
||||
it just switches you to that user.
|
||||
|
||||
=cut
|
||||
|
||||
sub www_ssoViaSessionId {
|
||||
my $session = shift;
|
||||
return undef unless $session->config->get('enableSimpleSSO');
|
||||
my $sessionId = $session->form->get("sessionId");
|
||||
if (defined $sessionId && $sessionId ne "") {
|
||||
if ($sessionId eq $session->getId) {
|
||||
|
|
@ -41,7 +44,7 @@ sub www_ssoViaSessionId {
|
|||
my ($userId) = $session->db->quickArray("select userId from userSession where sessionId=?",[$sessionId]);
|
||||
if (defined $userId && $userId ne "") {
|
||||
$session->var->end;
|
||||
$session->var->start($userId, $sessionId);
|
||||
$session->var->start($userId);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue