Uploaded image for project: 'Openmeetings'
  1. Openmeetings
  2. OPENMEETINGS-2739

auth security issue

    XMLWordPrintableJSON

Details

    • Important

    Description

      There is a heavy security issue that enables you to to log yourself in as another user.

       

      If you start the dialog to invite someone in a private room you can choose a room's title, a user and a password. Then you can generate an invitation url which is supposted to be send via mail to that user to join your room.

      That url contains a hash which logs in the invited user automatically.

       

      <URL>/openmeetings/hash?invitation=c0fdb7cb-e0bb-4012-95ba-e658fc25c634&language=2

       

      So by calling that url by yourself you can log in as that invited user (before actually sending the invitation).

       

       

       

      Attachments

        Issue Links

          causes

          Test - A new unit, integration or system test. OPENMEETINGS-2750 When send an invitation from Room, "Generate URL" button is grey

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              solomax Maxim Solodovnik
              dzimmt Dennis Zimmt
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: