Forums / General / Critical Security Problem - User sessions mixed up?!

Critical Security Problem - User sessions mixed up?!

Author Message

Nabil Imran

Thursday 03 September 2009 9:09:03 am

Hello,

first of all it there a special forum for security questions? Didn't find one.

Now the question:

Something VERY strange just happend:

I just logged in to ez publish site of a customer with my user called "nimran". some minutes later the customer also logged in with his own user.
For some reason eZ displayed my username on his logout button. He could see "logout (nimran)" link in his browser and sent me a screenshot of that!!!
He definitely does not know my password. also I trust him, that he did not hack it or wuteva. it happend accidentally!
It seemed that eZ publish mixed up the sessions, so he logged in with his data, but got my user!!!

Unfortunately I don't know if he really got my permissions, or if it was just a display bug, as he logged out, before we could check that. but eZ definitely showed him logged in as me!

how can this happen??

If eZ really mixed up the sessions / user permissions for any reason, it might be a very dirty threading bug or likewise.
If it was just a bug in display, it might be a caching problem.

Is this really possible???

Apache is running in prefork mode with php 5.2.0 and eZ publish 4.01.all caches are activated. Static cache is active as well, but should not be involed because it's generated without login by the generator.

The site runs for almost a year now and we never experienced problems like that before!!

I am very afraid about what that just was.....

Any ideas on that??

Christophe Condomines

Thursday 03 September 2009 9:18:02 am

It seems to be a typical problem of cache configuration. Did you check how this template is cached?

Microblau SL
http://www.microblau.net

Greg McAvoy-Jensen

Thursday 03 September 2009 9:24:41 am

Nabil,

FYI security issues are addressed using the issue tracker, and there's a special flag you can set for security concerns to give them special handling. You can read more here:

http://ez.no/developer/security

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

André R.

Friday 04 September 2009 12:57:04 am

If you do add a security issue, then provide some more info. For instance do you use ezwebin / ezflow / plain package. And if any of the first two, what versions of the extensions. There was such an issue in first version of ezwebin back in 3.9 (ezwebin 1.0/1.1).

But that was as stated above a cache issue (cache-block keys not being unique pr user), so you could see another persons login name, but you weren't logged in as him, so you didn't have any more access then you normally have.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Nabil Imran

Friday 04 September 2009 7:22:22 am

Thanks so far, I created an issue for that. adding some more details, also I think it is a cache problem, I marked it as security issue, because it might be a security problem

In short:
I'm using ezwebin 1.3.0 and the username was inside a cache-block, that contains a $user_hash as cache-key

All details can be found in the issue tracker.

André R.

Friday 04 September 2009 1:07:30 pm

$user_hash is not unique enough for the user name, it's a hash of what the user has access to, so users with access to the same things have the same cache (read: for cache efficiency).
either remove the name from the code or do it like webin does it, see:
http://svn.ez.no/svn/extensions/ezwebin/stable/1.3/packages/ezwebin_extension/ezextension/ezwebin/design/ezwebin/templates/pagelayout.tpl

First cache block is pr user:

{cache-block keys=array( $uri_string, $basket_is_empty, $user_id )}

Second (nested cache-block) does not use user id, and therefor is shared among several users, it is after the logout (<name>) code (and the basket code):

{cache-block keys=array( $uri_string, $user_hash )}

So you can safely close your issue, if you want to be 100% sure:
* login with a user that has exactly the same rights as you meaning same user group and if any, same direct roles (create a new user if you have to).
* Then surf around your site and logout
* Login with your regular user and observe that the other users name is in logout link
* Click on profile link ( /user/edit )

Make sure you do the three last steps while no one is publishing content or clearing cache.
If you on last point see the other users profile, then you have session issues or someone screwed up and didn't close the cache-block before $moduel_result.content line. If you don't then it's just cache issue as explained above.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

eZ debug

Timing: Jan 18 2025 05:06:23
Script start
Timing: Jan 18 2025 05:06:23
Module start 'content'
Timing: Jan 18 2025 05:06:23
Module end 'content'
Timing: Jan 18 2025 05:06:23
Script end

Main resources:

Total runtime0.9057 sec
Peak memory usage4,096.0000 KB
Database Queries207

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0061 587.8359180.8203
Module start 'content' 0.00610.7634 768.6563686.9766
Module end 'content' 0.76950.1361 1,455.6328341.0625
Script end 0.9056  1,796.6953 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00460.5091210.0002
Check MTime0.00190.2064210.0001
Mysql Total
Database connection0.00080.082910.0008
Mysqli_queries0.818590.37552070.0040
Looping result0.00210.23642050.0000
Template Total0.876096.720.4380
Template load0.00210.234720.0011
Template processing0.873996.489520.4369
Template load and register function0.00020.025910.0002
states
state_id_array0.00080.087310.0008
state_identifier_array0.00100.107820.0005
Override
Cache load0.00190.2054550.0000
Sytem overhead
Fetch class attribute can translate value0.00150.160750.0003
Fetch class attribute name0.00090.0958100.0001
XML
Image XML parsing0.00320.356850.0006
class_abstraction
Instantiating content class attribute0.00000.0018120.0000
General
dbfile0.00510.5614480.0001
String conversion0.00000.000430.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
6content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
6content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
12content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
6content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
2content/datatype/view/ezxmltags/literal.tpl<No override>extension/community/design/standard/templates/content/datatype/view/ezxmltags/literal.tplEdit templateOverride template
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 34
 Number of unique templates used: 7

Time used to render debug report: 0.0001 secs