User's session persist after permanently deleting his account in glpi-project/glpi
Sep 18th 2022
If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired.
If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if they are not logged in at that moment, they won't be able to access their account in the future.
Proof of Concept
- Login as "admin" (Super-Admin)
- Create a user ( tmp_admin ) with admin role
- Login as "tmp_admin" in another browser
- Using the "admin" account, delete "tmp_admin" account permanently
- Go back the other browser where "tmp_admin" is logged in, and perform your normal actions, like creating a ticket, etc.
- Log out from "admin" account
- Using "tmp_admin" delete the "admin" account permanently
- Now, you can't login as "admin"
A permanently deleted low privileged user can perform spamming since he's able to creates tickets , also he can access the tickets that he's been assigned to and see the new answers.
A permanently deleted high privileged user can manage to permanently delete other admins and prevents them from accessing their accounts again, which may lead to total loss of all accounts.