Place Your Ad Here

Bug Possible security issue: API Login Token always allows permanent login

There is a bug in this version
K

Kirby

Guest
API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.

Continue reading...
 
You must log in or register to reply here.

Similar threads

D
XenForo Is it possible to add the node / forum id name to the autogenerated report message
Replies
0
Views
22
XenForo Development & Modifications
Darat
D
P
Bug cache rebuild possible error?
Replies
0
Views
21
XenForo General Discussions
PabloC
P
S
Ques/Help Possible to jump to last read message once clicked to a thread in the thread list?
Replies
0
Views
29
XenForo General Discussions
securedme
S
Z
XenForo Would it be possible to add a "new messages" indicator to where you left off a thread last time?
Replies
0
Views
36
XenForo Development & Modifications
zzlpolitics
Z
P
XenForo Is it possible to edit the color of the category title with html? (Paid or free)
Replies
0
Views
27
XenForo Development & Modifications
pvpers
P
Top Bottom
Back