FS#124 : Failure to invalidate session after password change

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 20.01.2025
Last edited by cbay - 21.01.2025

FS#124 - Failure to invalidate session after password change

Failure to invalidate session after password change

Hello Team,

I hope you are doing well. While Researching in your domain I found Failure to invalidate session after password change vulnerability in your domain.

Steps to Reproduce:

1.Go to https://admin.alwaysdata.com/mailbox/id/ and set a password and then submit.
2.Then, go to another browser and login into https://webmail.alwaysdata.com/?from_roundcube=1.
3.Again go to https://admin.alwaysdata.com/mailbox/id/ and then change the password and submit it.
4.You can see that session is still login in https://webmail.alwaysdata.com/?from_roundcube=1 and you can make any Changes in https://webmail.alwaysdata.com/?from_roundcube=1.

Impact
If attacker have user password and logged in different places, As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active.. Malicious actor can complete access your account till that session expires! So, your account remains insecure even after the changing of password.

Thank You,

Waleed Anwar

Closed by cbay
21.01.2025 13:39
Reason for closing: Invalid

21.01.2025: A request to reopen the task has been made. Reason for request: I can change settings from roundcube settings

Comments (3)
Related Tasks (0/0)

cbay commented on 21.01.2025 13:39

Hello,

Although you're still "logged in" from a Roundcube perspective, you're unable to do anything on the mailbox (i.e. view or send mails) as the IMAP/SMTP password has changed.

Kind regards,
Cyril

waloodi_109 commented on 21.01.2025 16:34

I can change interface settings from roundcube settings

waloodi_109 commented on 21.01.2025 16:36

But, session will be logout when password is changed, it is a valid reason and there are so many reports which are triaged from this perspective.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task