OpenProject Session Management Security Vulnerability aka CVE-2017-11667

 

Today we will talk about a session management vulnerability affects OpenProject with all its version before 6.1.6 (old Stable) and 7.0.3 (latest stable) and may lead to accounts compromise and perform unauthorized actions via physical access to the logged in user session. but first lets know some general info.

First what is OpenProject?

OpenProject is a web-based project management system for location-independent team collaboration. This open source application is released under the GNU General Public License Version 3 and is continuously developed by an active open source community.

In addition to numerous smaller OpenProject installations there are also some very large installations in global organizations with more than 2,500 projects.

Continue reading “OpenProject Session Management Security Vulnerability aka CVE-2017-11667”

Share

QRLJacking – Your QR-based session belongs to us!

qrljacking

Introduction

Before we start we need to explain some frequently mentioned terms which are: QR Code, SSO and Clickjacking.

What is QR Code?

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A barcode is a machine-readable optical label that contains information about the item to which it is attached. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary, and kanji) to efficiently store data; extensions may also be used.

Continue reading “QRLJacking – Your QR-based session belongs to us!”

Share