<< Back to previous view |
[QB-3380] QB links which contain the session id let you hijack the session if it still active.
|
|
Status: | Resolved |
Project: | QuickBuild |
Component/s: | None |
Affects Version/s: | 8.0.28 |
Fix Version/s: | 9.0.9 |
Type: | Bug | Priority: | Blocker |
Reporter: | AlSt | Assigned To: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Remaining Estimate: | Unknown | Time Spent: | Unknown |
Original Estimate: | Unknown |
Description |
We just got a link for a build in QB for investigating a build failure. The guy who sent us the link also copied the JSESSIONID with it. When we clicked on it we suddenly were logged in as this user.
High security risk! |