Thanks Guust, for your clarification, and Brian for your due diligence in reporting this & keeping active on the topic!
I've taken a look at both the MASA rememberme fix that Brian linked to, and the private muracms repo with purportedly the fixes updated, and it looks to me like it's related to or narrowly scoped to the remember me functionality on both the user and admin login.
For our mura usage, we made the decision years ago to remove the 'remember me' ability for a user upon login (which seems to fix half the issue), but we still have the admin toggle available.
It looks like for muracms the patch is confined to the config/appcfc/onRequestStart_include.cfm for the logic (adding to the if-case conditionals), the rest of the patch is for adding a 'remember me' configuration option & checking it before output of the remember me checkbox/toggle, and in the MASA, adds logic to core/mura/login/loginManager.cfc as well.
It seems to me this is an easy path, relating to not showing the remember me ability on login pages, and updating the onRequestStart logic to add the new conditionals.
We also have logic in about half our sites that on a successful login, if there are remember me cookies, instantly perform a logout so they are removed, and I'm happy to share that onSiteLoginSuccess logic if anyone needs it.
Brian/WeAreNorth team, does the conditinals fix outlined above (
along with the removal of the remember me login option on forms) cover the exposure for this vulnerability, or is there additional exposure to worry about?
Thanks for keeping this discussion alive!
-Dave