Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.1.2
-
None
Description
Instance Details / Description:
The logout option to kill sessions is not present for some user accounts (i,e, the zzsvat01-05 test accounts). It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances (i.e. probably just with test accounts), not having a logout button / option does not allow the user to immediately kill his or her session.
Impact:
This could lengthen the window of opportunity for a session based attack. (i.e. Session
Hijacking / Cloning) Also, the fact that communications between the client and server for this application is not encrypted could allow an attacker to intercept a user's session identifier, and jump into the victim user's logged in session.
This could lengthen the window of opportunity for a session based attack. (i.e. Session Hijacking / Cloning) Also, the fact that communications between the client and server for this application is not encrypted could allow an attacker to intercept a user's session identifier, and jump into the victim user's logged in session.
Root Cause: Improper Design / Configuration
Recommendations: Work with the vendor to pinpoint why this happens to these types of accounts, and obtain a fix for the Confluence application. (It is doubtful that all usernames in LDAP will always have both first and last names.
