Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CWE613: Session/Tokens not expire after changing password #1018

Open
2 of 3 tasks
menghaining opened this issue May 12, 2024 · 0 comments
Open
2 of 3 tasks

CWE613: Session/Tokens not expire after changing password #1018

menghaining opened this issue May 12, 2024 · 0 comments
Labels
bug 软件缺陷

Comments

@menghaining
Copy link
Contributor

menghaining commented May 12, 2024
edited

现在行为

When the admin changes the user's password or changes self password, the old session/token can still be used. This is CWE-613: Insufficient session expiration vulnerability.

PoC

预期行为

When changing the user's password, ask for a re-login or invalid session/token tied to the old password.

操作系统

  • macOS or Mac OSX
  • Windows
  • Linux(Debian, CentOS, Ubuntu, etc.)

Solution

If changing the user's password, also terminate his session or invalidate his authentication token.

position:

代码版本

v7.x, v8.x
@menghaining menghaining added the bug 软件缺陷 label May 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 软件缺陷
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@menghaining