Mail Archives: cygwin/2023/09/06/18:21:04

Asad Ali via Cygwin <cygwin AT cygwin DOT com> · Thu, 7 Sep 2023 03:20:33 +0500

Hi Team,

Is there any update on this ? I'm hoping to receive a reward for the
reported bug.

Waiting for your response.

On Fri, Dec 30, 2022 at 5:46ā€ÆAM Asad Ali <asadali DOT 282821 AT gmail DOT com> wrote:

> Hey Team,
>
>
>
> I'm a penetration tester and bug bounty hunter. I have found a potential
> vulnerability in the site. Please review the report below.
>
>
>
> Vulnerability: Broken Authentication & Session Management
> We have observed that when we change "password" from one browser in place
> of session expiration from another browser it just updates the password
> from another browser and the old session gets updated without being logged
> out. The flows goes like this:
> Broken Authentication and Session Management > Failure to Invalidate
> Session > On Password Change
> Steps:
>
> 1- Login from two browsers at a time [From Chrome browser and from Mozilla
> Firefox].
>
> 2- Change password in settings from chrome browser.
>
> 3- Now Check Mozilla Firefox.
>
> 4- Your Session got "updated" in place of expiration.
>
>
>
>
> Same goes with when using two different computer systems.
>
> 1- Login from two computers at a time
>
> 2- Change password in settings from computer A.
>
> 3- Now Check computer B.
> 4- Your Session got "updated" in place of expiration.
>
> Recommendations: If Session is Updating from one Browser/Computer so other
> should expire first to renew session after login.
>
>
>
> If you require any additional information, please let me know. I'll be
> waiting to hear from your side regarding the report and bounty.
>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 83CCE3858434
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1694038862;
	bh=BLaqShf1ZsnAph5eq+BoWdPU8ySUBU9y5WllQ5FHStY=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=ss0JTSQfwlzV30eTA/UgcsZ6HRqa4pu4f/4rwSOVP0Afs7+19WFIURUzcaickjhJI
	rSjGpkmU3qBgWt4okmjiQ5E2fWdwb4sDCCJA4KEfKcFzZoQ3+7dtNI0Z+l2ibfvYrW
	NWGXQ4aXtPtPyDkdvrZFeH9CFeVfuuPapZT+0o50=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 291F13858C66
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20221208; t=1694038845; x=1694643645;
	h=to:subject:message-id:date:from:in-reply-to:references:mime-version
	:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
	bh=gQQWeir5RpypoEXsQVuTUn0k56KEDZWHFCP8eq1DDPg=;
	b=JWaGu3QRuAge5vwxu+FhTiPlw4GxjveK9QQzvwHaRQPt7Jk/9p0A9p4feD8nQFjKh5
	94Gace0uf17c6K8K4eGH7nMLwaaLy0dTiv7+s49HpdfbrSzgHfZgCegE+HRTiJovAb20
	sSnZIr65R6Tg2X0Pb/IqgitUNmFC6MZD/BaNHJHZs+gvxYwGUgHRF9snRWYcMy2w4N0c
	OUJGZddzGpEPWJPH/JJT4dJkrxEbHBfXtex87S2yL71Sh9rvyezbJuxmPuHMKOay7085
	Y63DCeMV/AhhvC2TEfpJoQf2NjbZ7VSbxT8IbxhN3ZcRJIILymAiPAEiwPZZ0qplZnsp
	H8Gw==
X-Gm-Message-State:	AOJu0Yx83olCyWnLe1A7S5QZ5idwN+qNAhNsfWtWnpLBychj1I9gQcmk
	bPMkCdoPFkknEghWmNseWBTiFMT/02GXmlLzdy4h8bCtOWalnA==
X-Google-Smtp-Source:	AGHT+IH7NA9F2IZEqBiVQ7YRwFigoa5FZxp8/uRl0oTkxnpdATwMCrZ2IVytjcxxcg1KoU77L/YGzQoq8YRB9DiITyo=
X-Received:	by 2002:a05:6102:518:b0:44e:8874:585a with SMTP id
	l24-20020a056102051800b0044e8874585amr3667803vsa.27.1694038845015; Wed, 06
	Sep 2023 15:20:45 -0700 (PDT)
MIME-Version:	1.0
References:	<CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg AT mail DOT gmail DOT com>
In-Reply-To:	<CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg@mail.gmail.com>
Date:	Thu, 7 Sep 2023 03:20:33 +0500
Message-ID:	<CAJVfQ_h8Roac9HoqbJNEe_C-iRPu1GjBaSvV2v+v_CQor0H5cA@mail.gmail.com>
Subject:	Re: bug report
To:	cygwin AT cygwin DOT com
X-Spam-Status:	No, score=3.0 required=5.0 tests=BAYES_50, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
	TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Level:	***
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Asad Ali via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Asad Ali <asadali DOT 282821 AT gmail DOT com>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 386ML4sU020833

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019