[security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
Concerned version
Platform: Nginx/uWSGI
Summary
-
Enable Impersonation plugin
-
Enable REST Session server
-
Disable CSRF tokens
-
Start a terminal and execute : for i in {1..1000}; do curl -X POST -H 'Accept:application/json' -d user=msmith --data-urlencode password='msmith' http://auth.example.com:19876;done
-
make reload
-
Login dwho/dwho/dwho and hit F5 to refresh Portal
-
Alternatively authenticated as 'dwho' or 'msmith'
Backends used
PG
Possible fixes
Seems issue is linked to handler internal cache.
Login with 'dwho' / 'dwho'
Enable Impersonation plugin -> make reload_web_server
Start bash loop, hit F5 and session switches to 'msmith'
Stop bash loop and session is back to 'dwho' after 10/15 seconds..;