Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by mudhaxk - 12.07.2024
Last edited by cbay - 12.07.2024

Summary:

A vulnerability was discovered where the session is not invalidated when permissions are changed, potentially allowing attackers to access sensitive information without proper authorization.

Impact:

- Unauthorized access to sensitive information
- Potential data breaches
- Increased risk of account takeover

Expected Result:

- Session should be invalidated when permissions are changed
- User should be prompted to re-authenticate with new permissions

Actual Result:

- Session remains active after permission change
- User retains access to sensitive information without re-authentication

Steps to Reproduce:

1. {Browser A → Admin}Login to the application
2. {Browser A → Admin}Change permissions for the user
3. {Browser B → User}Login to the application
4. Observe the session remaining active
5. Attempt to access sensitive information

Recommended Fix:

1. Invalidate the session when permissions are changed
2. Require users to re-authenticate with new permissions
3. Implement additional security measures, such as token-based authentication and secure cookie management

Conclusion:

This vulnerability poses a critical risk to sensitive information and user accounts. Invalidating the session when permissions are changed will prevent unauthorized access and ensure the security and integrity of user accounts.