PacketFence - BTS - PacketFence
View Issue Details
0001294PacketFencesecuritypublic2011-10-03 11:522011-10-24 20:17
0001294: Session state shared between captive portal and guest management web interfaces
The directory specified to store session state in both the captive portal guest self-registration (html/captive-portal/guest-selfregistration.cgi) and guest management (html/admin/guest-management.cgi) web interfaces is the same: '/tmp'. This allows an attacker who has signed in on the captive portal guest self-registration interface to be considered logged in as well to the guest management web interface.

Both use the "login" parameter in the session: captive-portal/guest-selfregistration.cgi sets it in pf::web::guest::validate_selfregistration, and admin/guest-management.cgi checks it on line 57.
No tags attached.
patch security-fix-1294-session-sharing.patch (846) 2011-10-12 15:42
Issue History
2011-10-03 11:52mattdNew Issue
2011-10-06 11:47obilodeauStatusnew => assigned
2011-10-06 11:47obilodeauAssigned To => obilodeau
2011-10-12 15:29obilodeauNote Added: 0002339
2011-10-12 15:29obilodeauSeveritymajor => minor
2011-10-12 15:42obilodeauFile Added: security-fix-1294-session-sharing.patch
2011-10-12 15:44obilodeaumtn revision => c9d2a6a5b8ce155a535eddae62c1d9430c5a7f1a
2011-10-12 15:44obilodeauNote Added: 0002340
2011-10-12 15:44obilodeauStatusassigned => resolved
2011-10-12 15:44obilodeauFixed in Version => +1
2011-10-12 15:44obilodeauResolutionopen => fixed
2011-10-17 10:39obilodeauNote Added: 0002365
2011-10-24 16:45obilodeauView Statusprivate => public
2011-10-24 20:15obilodeauTarget Version => 3.0.2
2011-10-24 20:15obilodeauNote Added: 0002384
2011-10-24 20:16obilodeauStatusresolved => closed
2011-10-24 20:17obilodeauFixed in Version+1 => 3.0.2

2011-10-12 15:29   
Reproduced in the lab. Reducing severity because the session is bound to a remote address and that address will change after a successful authentication in VLAN enforcement (due to the nature of it).

Users of inline enforcement are affected. The feature is quite new so there shouldn't be too many.

Nonetheless it is a great find! Thanks for the report.
2011-10-12 15:44   
Fixed by changing session path to var/session/ (which is what the Web Admin's PHP uses already).

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It should apply cleanly on 3.0+. Users of PacketFence before version 3.0.0 are *not* affected.
2011-10-17 10:39   
This vulnerability has been assigned: CVE-2011-4070.
2011-10-24 20:15   
fix released in 3.0.2