[OpenStreetMap] #5499: Vulnerability Report 1 : Failure to invalidate session on Password Change
OpenStreetMap
trac at noreply.openstreetmap.org
Sat Sep 8 15:11:31 UTC 2018
#5499: Vulnerability Report 1 : Failure to invalidate session on Password Change
--------------------------+------------------------------------
Reporter: ather iqbal | Owner: rails-dev@…
Type: defect | Status: new
Priority: minor | Milestone: OSM 0.5
Component: website | Version: 2.0
Resolution: | Keywords: check quick and pay me
--------------------------+------------------------------------
Changes (by TomH):
* priority: critical => minor
Comment:
This bug tracker is no longer in regular use - please use
https://github.com/openstreetmap/openstreetmap-website/issues/ for
reporting issues.
Perhaps you could explain why you feel this is a vulnerability - the other
session was validly authenticated with the password that existed at the
time. Presumably the argument is that IF a password is being changed
because it has been compromised the old session might have been started by
somebody who was not supposed to have been in possession of the password?
The problem is that I don't believe there is any way we can invalidate the
session as things stand, because there is no way to find all the sessions
for a given user.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5499#comment:1>
OpenStreetMap <https://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list