Page 1 of 1
there is a serious bug in KeyHelp 20.2 authentication
Posted: Sat 29. Aug 2020, 19:42
by sanxh
there is a serious bug in KeyHelp 20.2 authentication.
Login in your browser, copy the the current session ID URL and paste it in another browser, it opens the admin panel.
No need to login again.
https://x.x.x.x/index.php?page=admin_da ... kkr3r54353
Re: there is a serious bug in KeyHelp 20.2 authentication
Posted: Sun 30. Aug 2020, 06:53
by christian.john
I got a message, your session is invalid.
Re: there is a serious bug in KeyHelp 20.2 authentication
Posted: Sun 30. Aug 2020, 10:18
by Tobi
The session id is connected with your IP.
As long as you don't share the URL within your LAN there's no security issue.
We also have a german thread about this topic.
viewtopic.php?f=6&t=355
Re: there is a serious bug in KeyHelp 20.2 authentication
Posted: Tue 1. Sep 2020, 15:21
by Alexander
As Tobi has already mentioned, in the current KeyHelp version the session is bound to your IP.
Furthermore I have now implemented several additional security measures to protect against other attack vectors.
All part of the upcoming KeyHelp 20.3.
Re: there is a serious bug in KeyHelp 20.2 authentication
Posted: Wed 2. Sep 2020, 14:05
by sanxh
Alexander wrote: ↑Tue 1. Sep 2020, 15:21
As Tobi has already mentioned, in the current KeyHelp version the session is bound to your IP.
Furthermore I have now implemented several additional security measures to protect against other attack vectors.
All part of the upcoming KeyHelp 20.3.
When is release 20.3?
thanks
Re: there is a serious bug in KeyHelp 20.2 authentication [SOLVED]
Posted: Wed 2. Sep 2020, 14:12
by Alexander
It should be ready in September - but no guarantee for that.