Softaculous

Topic : Security - close all active session when admin change password


Posted By: peopleinside on June 13, 2015, 6:57 pm
For security reason when admin change password in Webuzo all previous session must be closed!

Imagine password can be discovered by someone. If they are already in webuzo and we change password hacker already can do bad things.

Actually when admin change password other open session is not invalided. User see the message the password of webuzo has been changed and if press OK simply the system do the logout only in this session. This no have sense.

You can remove logout function when user press ok. What is the function to logout the admin after password change if all previous open session also from other PC still be valid?

Intact if you change admin password , don't click on ok in the confirmation windows message and click in the webuzo logo you will not be logged out because all old session from all other PC are still valid.

This should be fixed.. when admin change password also all other PC open instance must be closed.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.

Posted By: valley on June 17, 2015, 2:29 pm | Post: 1
When you change the password in Webuzo, you are logged out of the control panel.
Could you share a screenshot ?

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter


Posted By: peopleinside on June 17, 2015, 3:07 pm | Post: 2
You are logged out only in local PC.
If you have open access on other PC session still be valid.

Infact if you change the password and when you see confirmation message NOT press OK but press Webuzo Logo you will stay logged in.

I think is needed a variable where webuzo memorize for example now password are 01AsdEr (random string) session and this is leaved in the cookie.
If cookie string is the same in webuzo then login is valid.

If is not the same login will be no valid.
When admin user change the password this string should change with new one in webuzo so if some one is logged from other PC and try to do action after password change the session will not be valid as the cookie string is no more the same into webuzo.

Now if someone is logged in from other PC and you change the password for security other user will be able to do what he want until they not close the browser or let session expire.

All opened session should be invalid after change of the password.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.

Posted By: valley on June 17, 2015, 3:15 pm | Post: 3
We shall reproduce the issue and resolve it soon.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter


Posted By: alons on June 18, 2015, 6:49 am | Post: 4
Hi,

We will add this in the next upcoming version.

Thanks for the suggestion.

-----------------------
For immediate support please email us at our Support email address. PMs sent to any Softaculous Team member or posting in the forums is not the official way to get support.

Virtualizor - The Next Generation VPS Panel
Webuzo - It is Softaculous Standalone for Enterprises, SMB, Developers. Deploy it on Dedicated Servers, VPS, Virtual Appliances or the Cloud
Pinguzo - Server and Domain Monitoring tool
PopularFX - Marketplace of WordPress, Drupal, Joomla, Bootstrap themes
Remote Installer - Use Softaculous over FTP/FTPS/SFTP

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.