Project

General

Profile

Security issue on windows - montgrel - 0.8.0 ?

Added by Yannis Torres over 15 years ago

Hi,

I've installed a montgrel server on a windows nt server 2003. ( don't have the choice :/ )
On this montgrel I've installed two redmine (stable 0.8.0).

I don't known if its a montgrel cgi (or session ?) issue or redmine one, but when I login with a user (lets say user with uid 10) on my first redmine, and then without login or logout, I open my second redmine, I'm automatically logged in the second redmine as the user that as the corresponding uid.

This may allow a user to grab admin access on the second redmine (if he match uid of admin account), or could seriously mess with user profiles and rights.

anyone have ever encountered this ?