Security Vulnerability found in DoWant

[aeiche]

Hi Everyone,

I discovered a security vulnerability in DoWant today, that makes it possible for an individual to know which items have been reserved for them. The vulnerability exists in the session management of the system. 

When a user requests details about an item, the wishlist object checks to make sure that the requesting user is not the owner. The requesting user is kept in a session variable, and the owner is retrieved from the database. If they match, the system sets the reservation data to a simple string declaring to the front end that it's irrelevant.

You can see this in the wishlist.class.php file here. If you're interested.

The fault occurs when a session times out, or is explicitly killed. The userid variable in the session is removed - but the front end is never informed. If the front end requests the item details the user in the session doesn't match the user in item, so the system provides the reservation data as well.

Understanding what happened, I can create a fix for it. My apologies for anyone who had a surprise ruined by this, and special thanks to Kevin who helped me figure out what happened. I'll patch this and fix it in the coming release.

If anyone has any questions about this, or wants further clarification - or wants to offer a fix, please let me know.

-Aaron

[aeiche]

I fixed this last night, if anyone's interested. 

https://github.com/aaroneiche/do-want/pull/117

It will be in the forthcoming release.

[Kevin J. Wangler]

I'm a-waitin' on the release till I do anything. :)  Excited!

--
You received this message because you are subscribed to the Google Groups "do-want" group.
To unsubscribe from this group and stop receiving emails from it, send an email to do-want+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.