Security Issue with Build a CMS

[CLU]

Hi Guys,

 

I think I have came across a potential security issue with the build a CMS. It seems there is a worrying issue, that being if you had two different sites, then the users that login for one would be able to log into the other. I think this must have something to do with the session start. Although there would have to be some form of serendipity as the users will have to be using the same browser, but still this seems to be rather worrying. Would/does anyone have a solution to this? Maybe this could be solved by changing the salt?

 

If anyone could help that would be great.

 

CLU

[falkencreative]

even if the usernames and passwords are different?

[CLU]

It still seems to allow the user access irrespective of whether there PW and usernames are the same... So it just allows access... I really cannot find out how to prevent this....

[falkencreative]

I'll take a look later this week and see if I can reproduce. This shouldn't happen -- each site should have its own unique session.

 

If you have these two sites online, any chance you could PM me the URLs and username/passwords to each so I can check? It would be much easier than having to to set up two sites of my own to test.

[CLU]

At the moment the two sites that I have tested are on local servers, I was running tests to check everything and this is when i came across this issue. They are both reading from different databases, could the issue be with regards to the salt being the same?

[falkencreative]

No, the salt should have nothing to do with it.

[falkencreative]

I've looked into this issue a little more. As far as I understand it, the issue is that you are running the websites on the same domain (localhost). Because they are on the same domain, they are sharing the session, and thus sharing session variables that track whether the user is logged into the website. This is a situation that most people shouldn't run into, since the average user shouldn't be running multiple installations of the system on the same live domain. If you actually put these two sites up on their own domains, you shouldn't run into this issue. However, since I can't discount that fact entirely, I'll add this issue to the list of things I need to talk about when I do an update to the course.

 

The easiest solution to this issue is to add this line just before "session_start();" within /app/core/core.php:

 

session_name('[unique identifier here]');

Replace [unique identifier here] with a alphanumeric string that is unique to the website. Do that for both the sites running on your local server, using different unique identifiers for each, and you shouldn't have this issue any longer. This will set different session names for each site, keeping them unique and separate from each other even though they are running on the same domain.

 

A slightly more elegant solution might be to set the unique identifier in a constant within /app/init.php, and then use that constant when you call session_name(). It would just be easier to find and change that variable within the init file rather than trying to remember which file session_start() is called in.

[CLU]

It seems that you are right, I wasnt thinking about them being essentially on the same domain. Cheers for helping out... Also a heads up on another potential issue with the colorbox and the long. Because everything within the innit file is absolute so the site path being stated as www.domain.com... if a user types domain.com ... then when they click on the login link it throws an error, as its not including the www. The simple solution i fount was to create a htaccess file and just make sure the url is changed to match that within the innit file. Just a heads up.

 

Thanks again.