View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012277 | mantisbt | security | public | 2010-08-22 22:09 | 2011-08-05 02:25 |
Reporter | pklanka | Assigned To | dhx | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Platform | All | OS | All | OS Version | all |
Product Version | 1.1.8 | ||||
Summary | 0012277: Cookie tokens are constant for a particular user | ||||
Description | Mantis does not use randomized tokens for the users; rather it uses same token as the session ID, everytime a user logs in. Stealing the cookie token could result in the hijack of session. | ||||
Steps To Reproduce | Login as a user, obtain a session ID. Logout, Clear sessions, Close browser and Relogin again - Obtain same old session ID. | ||||
Tags | No tags attached. | ||||
If you're worried about someone listening over the line that could hijack session tokens, SSL is really the only solution to this, whether the token changes or stays constant. |
|
I guess even SSL would not be of much help. HTTP snooping is not the only way a attacker could obtain the session ID. Sometimes an attacker could use other vulnerabilities in the system / domain pages and obtain the session ID of the user. E.g. If in case there is XSS in some Mantis page or page in the same domain (where Mantis is installed); attacker could easily obtain the session ID of the user and impersonate him / her. Also, in this particular case, session ID snooping has larger implication - since it is non random and it directly makes the requirement of a username and password redundant. |
|
@pklanka: I added HttpOnly cookie security in 1.2.0 which is a security feature now supported by all the major browsers that I'm aware of. This feature prevents sensitive cookies like the session IDs being read from within JavaScript code running on the site. I do agree we need to rotate session IDs between multiple user logins. I thought we would have been doing this already with the PHP session cookies. In other words, I think MantisBT uses both PHP and custom session IDs. I've never looked into this area a great deal so I'll try to investigate it further. @jreese, do you know how MantisBT treats PHP vs MantisBT session IDs? |
|