[OpenStreetMap] #5499: Vulnerability Report 1 : Failure to invalidate session on Password Change
OpenStreetMap
trac at noreply.openstreetmap.org
Sat Sep 8 14:29:49 UTC 2018
#5499: Vulnerability Report 1 : Failure to invalidate session on Password Change
------------------------------------+-------------------------
Reporter: ather iqbal | Owner: rails-dev@…
Type: defect | Status: new
Priority: critical | Milestone: OSM 0.5
Component: website | Version: 2.0
Keywords: check quick and pay me |
------------------------------------+-------------------------
Hi team,
i am a security and this time i founded this vulnerability in your website
Vulnerability : Failure to invalidate session on Password Change
i observe that when we change password from one browser in place of
session
Expire from other browser its just update password from other browser and
the old session got updated without being logout
Steps to check Session Management issue On password change :
1- login From two browser at a time [ From Chrome browser and From Mozilla
Firefox ]
2- Change password in setting from chrome browser
3- Now Check Mozilla FireFox
4- Your Session Got Updated in place of expiration
Recommendations:
If Session is Updating From One Browser so Other Should Expire First to
renew session after login
Thanks
Regards:
Ather Iqbal
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5499>
OpenStreetMap <https://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list