User's session persist after permanently deleting his account in glpi-project/glpi

Valid

Reported on

Sep 18th 2022


Description

If a user is logged in, and an admin decided to delete his account permanently, the user is still able to perform his normal actions until his session gets expired.

If a logged in user with admin role is deleted permanently, he's still able to delete other admins permanently, and if they are not logged in at that moment, they won't be able to access their account in the future.

Proof of Concept

  • Login as "admin" (Super-Admin)
  • Create a user ( tmp_admin ) with admin role
  • Login as "tmp_admin" in another browser
  • Using the "admin" account, delete "tmp_admin" account permanently
  • Go back the other browser where "tmp_admin" is logged in, and perform your normal actions, like creating a ticket, etc.
  • Log out from "admin" account
  • Using "tmp_admin" delete the "admin" account permanently
  • Now, you can't login as "admin"

Impact

  • A permanently deleted low privileged user can perform spamming since he's able to creates tickets , also he can access the tickets that he's been assigned to and see the new answers.

  • A permanently deleted high privileged user can manage to permanently delete other admins and prevents them from accessing their accounts again, which may lead to total loss of all accounts.

We are processing your report and will contact the glpi-project/glpi team within 24 hours. 3 months ago
François Legastelois modified the Severity from High (7.2) to Low (2.7) 3 months ago
François Legastelois modified the CWE from Improper Access Control to Insufficient Session Expiration 3 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 3 months ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 2 months ago
glpi-project/glpi maintainer modified the Severity from Low (2.7) to Medium (4.7) 2 months ago
glpi-project/glpi maintainer has acknowledged this report 2 months ago
The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Cédric Anne validated this vulnerability a month ago
Seif-Allah Homrani has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the glpi-project/glpi team. We will try again in 7 days. a month ago
Cédric Anne marked this as fixed in 10.0.4 with commit edb815 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability a month ago
Seif-Allah
a month ago

Researcher


Hi @admin, can you please assign CVE-2022-39234 for this vuln ?

to join this conversation