Security Advisory: User authentication system allowed login between subdomains when it shouldn't have.
Martin Webb, Director of CUBICstate Ltd in West Yorkshire, UK, brought to my attention that someone logging in to the demo web site could gain access to the site manager for my company site. This was happening for subdomains because of the lack of validation of the site the user logged in as and the cookies were shared I believe due to the use of setDomainCookies=true in application.cfc, which is now disabled.
The bug has been fixed in this commit: https://github.com/jetendo/jetendo/commit/764ddde0d8ebc27738b32d6d53c5d62922c27a5d
Please update to the latest version of Jetendo CMS, v0.1.004 immediately.
Thank you again, Martin!
Bookmark & Share
Be the first to comment on this post below!