Home / Jetendo News / Security Alert /

Security Advisory: User authentication system allowed login between subdomains when it shouldn't have.

  Follow me: Bruce Kirkpatrick on Twitter Bruce Kirkpatrick on Facebook
Wed, Feb 19, 2014 at 12:10PM

Martin Webb, Director of CUBICstate Ltd in West Yorkshire, UK, brought to my attention that someone logging in to the demo web site could gain access to the site manager for my company site.   This was happening for subdomains because of the lack of validation of the site the user logged in as and the cookies were shared I believe due to the use of setDomainCookies=true in application.cfc, which is now disabled.

The bug has been fixed in this commit: https://github.com/jetendo/jetendo/commit/764ddde0d8ebc27738b32d6d53c5d62922c27a5d

Please update to the latest version of Jetendo CMS, v0.1.004 immediately.

https://github.com/jetendo/jetendo

Thank you again, Martin!


Bookmark & Share



User Comments


Be the first to comment on this post below!

Add A Comment

Top of Page