-
Sourcefabric Security Advisory
Airtime Vulnerability
Session cookie weakness could allow unauthorized account access
Published: July 16th, 2014
Affected Software: Airtime 1.6.0 - 2.5.1
CVE number: CVE-2014-4915
Severity: Medium
Reporter: Albert Santoni (Sourcefabric, Airtime Team)
Overview:
User accounts, as implemented in Airtime 1.6.0 - 2.5.1, allow a remote attacker to spoof a session belonging to a different Airtime installation running on the same web server.
Impact:
Airtime accounts on web servers hosting multiple Airtime installations can be spoofed. Web servers hosting single Airtime installations are not affected.
Solutions:
Download and upgrade to Airtime 2.5.1a. Updated Debian packages are available today.
Airtime 2.5.1 installations may be patched with the patch here.
References:
[1] Airtime - the open source radio automation software
[2] Airtime 2.5.1 CVE-2014-4915 Session pinning patch
Post edited by Albert Santoni at 2014-07-16 11:41:50Airtime Developer @ Sourcefabric
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- All Discussions8,397
- Sourcefabric
- ↳ Announcements25
- Newscoop
- ↳ Newscoop Support2,189
- ↳ Newscoop Development722
- ↳ Newscoop Security13
- ↳ Newscoop Documentation17
- ↳ Newscoop Themes69
- Airtime
- ↳ Airtime Support3,139
- ↳ Airtime Development1,286
- ↳ Airtime Français146
- ↳ Airtime Documentation14
- ↳ Airtime Hacks102
- ↳ Promote your station!37
- ↳ Airtime Security11
- Booktype
- ↳ Booktype Support277
- ↳ Booktype Development55
- ↳ Booktype Documentation7
- Superdesk
- ↳ Superdesk Development264
- ↳ Web Publisher21
Poll
No poll attached to this discussion.Top Posters
-
Albert FR
1978
-
Martin Konecny
1860
-
Andrey Podshivalov
1526
-
Voisses Tech
1423
-
John Chewter
899
-
Daniel James
844
-
Roger Wilco
784
-
hoerich
627
-
Paul Baranowski
389
-
Cliff Wang
339