Place Your Ad Here

Bug Possible security issue: API Login Token always allows permanent login

There is a bug in this version
K

Kirby

Guest
API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.

Continue reading...
 
You must log in or register to reply here.

Similar threads

S
Ques/Help Is it possible to long press a blank space in a message to pop up an action menu?
Replies
0
Views
49
XenForo General Discussions
securedme
S
S
Ques/Help Possible to turn off new user upgrades and let existing ones expire?
Replies
0
Views
118
XenForo General Discussions
Stuart Wright
S
N
Bug XF does not loop through all possible folders inside '_output' on import/upgrade
Replies
0
Views
126
XenForo General Discussions
nocte
N
M
Ques/Help is it possible to search for posts by Reaction?
Replies
0
Views
96
XenForo General Discussions
maxd
M
D
Ques/Help Is it possible to have User Upgrades Across multiple sites?
Replies
0
Views
104
XenForo General Discussions
dunowat
D
Top Bottom
Back