The UI Performs the Wrong Action in zikula/core
Sep 28th 2021
Sensitive data on the application can be exposed after the user logs
Proof of Concept
// PoC 1 Login to the application 2 Goto page like My Account 3 Click logout 4 Click browser back button
When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.
Hello and thank you for reporting, I doubt that this can be prevented from server-side because Firefox is just showing the old page from its client cache. When you reload or click on another link/button it does not happen, since the session is gone.
Correct. You can add a refresh event when the user has logged out and click the back button on the browser. Sensitive data here can generally be user information, credit cards, ..
A client-side event handler can't be a solid solution as it can be disabled.
Yes. The back-end can solve this issue. You can try use cache header like:
"Cache-Control", "no-cache, no-store, must-revalidate");addHeader(
So the actual fix would be disabling any kind of cache inside the browser (unless using a proxy). We had another report of that here: https://huntr.dev/bounties/c4371a9a-e355-4869-928c-8c275cf7beb4/ Will need to check with the team about that.
Yes. The cache should disable. More config for cache header like :
'Cache-Control','nocache, no-store, max-age=0, must-revalidate') ->header('Pragma','no-cache') ->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');header(