Critical Security Problem - User sessions mixed up?!

Author Message

Nabil Imran

Thursday 03 September 2009 9:09:03 am

Hello,

first of all it there a special forum for security questions? Didn't find one.

Now the question:

Something VERY strange just happend:

I just logged in to ez publish site of a customer with my user called "nimran". some minutes later the customer also logged in with his own user.
For some reason eZ displayed my username on his logout button. He could see "logout (nimran)" link in his browser and sent me a screenshot of that!!!
He definitely does not know my password. also I trust him, that he did not hack it or wuteva. it happend accidentally!
It seemed that eZ publish mixed up the sessions, so he logged in with his data, but got my user!!!

Unfortunately I don't know if he really got my permissions, or if it was just a display bug, as he logged out, before we could check that. but eZ definitely showed him logged in as me!

how can this happen??

If eZ really mixed up the sessions / user permissions for any reason, it might be a very dirty threading bug or likewise.
If it was just a bug in display, it might be a caching problem.

Is this really possible???

Apache is running in prefork mode with php 5.2.0 and eZ publish 4.01.all caches are activated. Static cache is active as well, but should not be involed because it's generated without login by the generator.

The site runs for almost a year now and we never experienced problems like that before!!

I am very afraid about what that just was.....

Any ideas on that??

Christophe Condomines

Thursday 03 September 2009 9:18:02 am

It seems to be a typical problem of cache configuration. Did you check how this template is cached?

Microblau SL
http://www.microblau.net

Greg McAvoy-Jensen

Thursday 03 September 2009 9:24:41 am

Nabil,

FYI security issues are addressed using the issue tracker, and there's a special flag you can set for security concerns to give them special handling. You can read more here:

http://ez.no/developer/security

Granite Horizon, Certified Developer of eZ Publish Web Solutions
Provider of the SaaS Solution Granite Horizon In The Cloud | http://granitehorizon.com/cloud
http://granitehorizon.com | +1 916 647 6350 | California USA | @granitegreg
Blog: http://granitehorizon.com/blog

André R.

Friday 04 September 2009 12:57:04 am

If you do add a security issue, then provide some more info. For instance do you use ezwebin / ezflow / plain package. And if any of the first two, what versions of the extensions. There was such an issue in first version of ezwebin back in 3.9 (ezwebin 1.0/1.1).

But that was as stated above a cache issue (cache-block keys not being unique pr user), so you could see another persons login name, but you weren't logged in as him, so you didn't have any more access then you normally have.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Nabil Imran

Friday 04 September 2009 7:22:22 am

Thanks so far, I created an issue for that. adding some more details, also I think it is a cache problem, I marked it as security issue, because it might be a security problem

In short:
I'm using ezwebin 1.3.0 and the username was inside a cache-block, that contains a $user_hash as cache-key

All details can be found in the issue tracker.

André R.

Friday 04 September 2009 1:07:30 pm

$user_hash is not unique enough for the user name, it's a hash of what the user has access to, so users with access to the same things have the same cache (read: for cache efficiency).
either remove the name from the code or do it like webin does it, see:
http://svn.ez.no/svn/extensions/ezwebin/stable/1.3/packages/ezwebin_extension/ezextension/ezwebin/design/ezwebin/templates/pagelayout.tpl

First cache block is pr user:

{cache-block keys=array( $uri_string, $basket_is_empty, $user_id )}

Second (nested cache-block) does not use user id, and therefor is shared among several users, it is after the logout (<name>) code (and the basket code):

{cache-block keys=array( $uri_string, $user_hash )}

So you can safely close your issue, if you want to be 100% sure:
* login with a user that has exactly the same rights as you meaning same user group and if any, same direct roles (create a new user if you have to).
* Then surf around your site and logout
* Login with your regular user and observe that the other users name is in logout link
* Click on profile link ( /user/edit )

Make sure you do the three last steps while no one is publishing content or clearing cache.
If you on last point see the other users profile, then you have session issues or someone screwed up and didn't close the cache-block before $moduel_result.content line. If you don't then it's just cache issue as explained above.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.