Prevent SSO fixation attacks against WebGUI by modifying Operation/SSO to log the user in as the user with a different session, and to require a flag in the config file to enable it. This feature will be removed in WebGUI 8. Fixes bug #12004.
This commit is contained in:
Colin Kuskie
parent
c65fd1946a
commit
6f34c25e82
4 changed files with 20 additions and 3 deletions
|
|
@ -26,12 +26,15 @@ TODO
|
|||
|
||||
=head2 www_ssoViaSessionId
|
||||
|
||||
TODO: DOCUMENT ME
|
||||
Allows a user to login as another user, by referencing that user's sessionId. Requires that
|
||||
sessionId is passed as a form or URL parameter. It does NOT duplicate the original user's session,
|
||||
it just switches you to that user.
|
||||
|
||||
=cut
|
||||
|
||||
sub www_ssoViaSessionId {
|
||||
my $session = shift;
|
||||
return undef unless $session->config->get('enableSimpleSSO');
|
||||
my $sessionId = $session->form->get("sessionId");
|
||||
if (defined $sessionId && $sessionId ne "") {
|
||||
if ($sessionId eq $session->getId) {
|
||||
|
|
@ -41,7 +44,7 @@ sub www_ssoViaSessionId {
|
|||
my ($userId) = $session->db->quickArray("select userId from userSession where sessionId=?",[$sessionId]);
|
||||
if (defined $userId && $userId ne "") {
|
||||
$session->var->end;
|
||||
$session->var->start($userId, $sessionId);
|
||||
$session->var->start($userId);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue