there is a serious bug in KeyHelp 20.2 authentication  [SOLVED]

Locked
sanxh
Posts: 30
Joined: Tue 12. May 2020, 11:52

there is a serious bug in KeyHelp 20.2 authentication

Post by sanxh »

:o :o :o
there is a serious bug in KeyHelp 20.2 authentication.

Login in your browser, copy the the current session ID URL and paste it in another browser, it opens the admin panel.
No need to login again.
https://x.x.x.x/index.php?page=admin_da ... kkr3r54353
christian.john
Posts: 228
Joined: Tue 9. Apr 2019, 16:31
Location: Korschenbroich
Contact:

Re: there is a serious bug in KeyHelp 20.2 authentication

Post by christian.john »

I got a message, your session is invalid.
Individuelle Entwicklung webbasierter Datenbanksysteme
https://www.john-softwareentwicklung.de
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: there is a serious bug in KeyHelp 20.2 authentication

Post by Tobi »

The session id is connected with your IP.

As long as you don't share the URL within your LAN there's no security issue.

We also have a german thread about this topic.
viewtopic.php?f=6&t=355
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: there is a serious bug in KeyHelp 20.2 authentication

Post by Alexander »

As Tobi has already mentioned, in the current KeyHelp version the session is bound to your IP.

Furthermore I have now implemented several additional security measures to protect against other attack vectors.
All part of the upcoming KeyHelp 20.3.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
sanxh
Posts: 30
Joined: Tue 12. May 2020, 11:52

Re: there is a serious bug in KeyHelp 20.2 authentication

Post by sanxh »

Alexander wrote: Tue 1. Sep 2020, 15:21 As Tobi has already mentioned, in the current KeyHelp version the session is bound to your IP.

Furthermore I have now implemented several additional security measures to protect against other attack vectors.
All part of the upcoming KeyHelp 20.3.
When is release 20.3? :?:
thanks :D
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: there is a serious bug in KeyHelp 20.2 authentication  [SOLVED]

Post by Alexander »

It should be ready in September - but no guarantee for that.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Locked