X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 83CCE3858434
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1694038862;
	bh=BLaqShf1ZsnAph5eq+BoWdPU8ySUBU9y5WllQ5FHStY=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=ss0JTSQfwlzV30eTA/UgcsZ6HRqa4pu4f/4rwSOVP0Afs7+19WFIURUzcaickjhJI
	 rSjGpkmU3qBgWt4okmjiQ5E2fWdwb4sDCCJA4KEfKcFzZoQ3+7dtNI0Z+l2ibfvYrW
	 NWGXQ4aXtPtPyDkdvrZFeH9CFeVfuuPapZT+0o50=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 291F13858C66
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1694038845; x=1694643645;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=gQQWeir5RpypoEXsQVuTUn0k56KEDZWHFCP8eq1DDPg=;
 b=JWaGu3QRuAge5vwxu+FhTiPlw4GxjveK9QQzvwHaRQPt7Jk/9p0A9p4feD8nQFjKh5
 94Gace0uf17c6K8K4eGH7nMLwaaLy0dTiv7+s49HpdfbrSzgHfZgCegE+HRTiJovAb20
 sSnZIr65R6Tg2X0Pb/IqgitUNmFC6MZD/BaNHJHZs+gvxYwGUgHRF9snRWYcMy2w4N0c
 OUJGZddzGpEPWJPH/JJT4dJkrxEbHBfXtex87S2yL71Sh9rvyezbJuxmPuHMKOay7085
 Y63DCeMV/AhhvC2TEfpJoQf2NjbZ7VSbxT8IbxhN3ZcRJIILymAiPAEiwPZZ0qplZnsp
 H8Gw==
X-Gm-Message-State: AOJu0Yx83olCyWnLe1A7S5QZ5idwN+qNAhNsfWtWnpLBychj1I9gQcmk
 bPMkCdoPFkknEghWmNseWBTiFMT/02GXmlLzdy4h8bCtOWalnA==
X-Google-Smtp-Source: AGHT+IH7NA9F2IZEqBiVQ7YRwFigoa5FZxp8/uRl0oTkxnpdATwMCrZ2IVytjcxxcg1KoU77L/YGzQoq8YRB9DiITyo=
X-Received: by 2002:a05:6102:518:b0:44e:8874:585a with SMTP id
 l24-20020a056102051800b0044e8874585amr3667803vsa.27.1694038845015; Wed, 06
 Sep 2023 15:20:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg AT mail DOT gmail DOT com>
In-Reply-To: <CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg@mail.gmail.com>
Date: Thu, 7 Sep 2023 03:20:33 +0500
Message-ID: <CAJVfQ_h8Roac9HoqbJNEe_C-iRPu1GjBaSvV2v+v_CQor0H5cA@mail.gmail.com>
Subject: Re: bug report
To: cygwin AT cygwin DOT com
X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_50, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT,
 FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Asad Ali via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Asad Ali <asadali DOT 282821 AT gmail DOT com>
Content-Type: text/plain; charset="utf-8"
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 386ML4sU020833

Hi Team,

Is there any update on this ? I'm hoping to receive a reward for the
reported bug.

Waiting for your response.

On Fri, Dec 30, 2022 at 5:46 AM Asad Ali <asadali DOT 282821 AT gmail DOT com> wrote:

> Hey Team,
>
>
>
> I'm a penetration tester and bug bounty hunter. I have found a potential
> vulnerability in the site. Please review the report below.
>
>
>
> Vulnerability: Broken Authentication & Session Management
> We have observed that when we change "password" from one browser in place
> of session expiration from another browser it just updates the password
> from another browser and the old session gets updated without being logged
> out. The flows goes like this:
> Broken Authentication and Session Management > Failure to Invalidate
> Session > On Password Change
> Steps:
>
> 1- Login from two browsers at a time [From Chrome browser and from Mozilla
> Firefox].
>
> 2- Change password in settings from chrome browser.
>
> 3- Now Check Mozilla Firefox.
>
> 4- Your Session got "updated" in place of expiration.
>
>
>
>
> Same goes with when using two different computer systems.
>
> 1- Login from two computers at a time
>
> 2- Change password in settings from computer A.
>
> 3- Now Check computer B.
> 4- Your Session got "updated" in place of expiration.
>
> Recommendations: If Session is Updating from one Browser/Computer so other
> should expire first to renew session after login.
>
>
>
> If you require any additional information, please let me know. I'll be
> waiting to hear from your side regarding the report and bounty.
>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple