[Security: low] register_token used for account creation can be used as a valid session identifier
References
Concerned version
Version: %2.0.3
Summary
The confirmation email contains a link that looks like this:
http://auth.example.com/register?register_token=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f&skin=bootstrapThe register_token may be used as a valid session, before the account is even created in the Register backend
curl -b lemonldap=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f http://test1.example.com/The session is of course empty:
<li>Connected user: <ul>
<li><tt>$ENV{HTTP_AUTH_USER}</tt>: </li>
<li><tt>$ENV{REMOTE_USER}</tt>: </li>But i'm pretty sure this is undesired behavior.
Logs
cat /var/lib/lemonldap-ng/sessions/9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f
{
"_utime" : 1557493764,
"tokenSessionStartTimestamp" : 1557493764,
"_type" : "register",
"ipAddr" : "10.128.239.1",
"firstname" : "Bob",
"_session_kind" : "SSO",
"mail" : "hackerman@gibson.com",
"lastname" : "Hackerman",
"_session_id" : "9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f",
"tokenTimeoutTimestamp" : 1557565764
}
Possible fixes
The register session shouldn't be using _session_kind: SSO, or the handler should not accept _type: register ? Not sure what's the correct way here.