[#24317] - [4.0] Further protection (requires PHP 5.6+) about an session timing attack
- Fixed in Code Base
- 13 Sep 2019
- Medium
- Build: 4.0-dev
- # 24317
- Diff
- zero-24:session_abort
- Success Hound No violations found. Woof! Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Success continuous-integration/drone/pr Build is passing Details
User tests: Successful: Unsuccessful:
Summary of Changes
This is an further protection (requires PHP 5.6+) about the session timing attack implemented in Joomla 3.8.8
This issue is now moved to the public tracker thanks for the work done on this by:
@demis-palma
@wilsonge
@SniperSister
@mbabker
@PhilETaylor
Testing Instructions
- apply the patch
- login the backend
- make sure the ajax call checking for Joomla Updates still works as expected.
Expected result
Everything works and session is aborted
Actual result
In some very very rare cases session is not aborted.
Documentation Changes Required
none.
| Milestone |
Added: |
||
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_installer |
| Labels |
Added:
?
|
||
Ok ready for testing now. George just corrected the call and I removed the now useless use call :)
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24317.
| Labels |
Removed:
J4 Issue
|
||
Can we get one more test here please? cc @wilsonge @SniperSister
Would be great when we can get one more tester so we can include this patch in 4.0. :)
Can we find anyhow an tester on this one?
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-09-13 12:13:25 |
| Closed_By | ⇒ | wilsonge |
I'm merging this so that it gets extra testing.
Get session from application please.
Joomla\CMS\Factory::getSession()is deprecated.