Forums | Mahara Community

Security Announcements /
Security issue relating to session fixation in PHP 5.3, <15.04.7, <15.10.3


This topic is closed. Only moderators and the group administrators can post new replies.
Aaron Wells's profile picture
Posts: 896

03 May 2016, 1:22 PM

Changes to Mahara's session management in 15.04.0, when Mahara is running on PHP version 5.3, were can sometimes cause two users on separate computers to be served the same session ID. This results in one user being "logged in" as the other user, with all that user's permissions and access. This situation can occur when a user takes an action that forces another user to be logged out of Mahara, such as an admin changing another user's account settings.

Category: Sessions
Severity: High
Versions affected: <15.04.7, <15.10.3, running PHP 5.3
Reported by: Aaron Wells
Bug reports: https://bugs.launchpad.net/mahara/+bug/1570744

CVE reference: 2017-1000152

Edits to this post:
1 result