We released OpenProject 6.1.6. This release contains an import security fix regarding the session expiry that is detailed below.
We strongly recommend the update to the current version if you have activated the session expiry functionality of OpenProject.
OpenProject can be configured to expire sessions after a certain amount of inactivity on the session. The setting and time interval can be configured in the Authentication tab of the system settings.
The session authentication scheme for the APIv3, used in the majority of the angular-driven OpenProject work packages module, did not correctly check this setting and in turn, the setting did not matter for API session-based authentication. Users were able to use session for changes to work packages even past their allotted lifetime as long as the user did not leave the open work package module page. However, requests that and trigger a page refresh (e.g., visiting other modules or refreshing the page manually) cause the session to invalidate properly.
With this malfunction, an adversary hijacking an open session through whatever means could use it indefinitely for requests against the APIv3, as long as the owner of the session did not invalidate it through some page-refreshing request.
This vulnerability has been assigned to the identifier CVE-2017-11667.
This security issue has been discovered by Mohamed A. Baset from Seekurity SAS de C.V and was disclosed to us yesterday evening. Thank you the elaborate report and for disclosing this directly to us. It is very much appreciated.
We take security very seriously at OpenProject. We value any kind of feedback that will keep our community secure. If you happen to come across a security issue we urge you to disclose it to us privately at firstname.lastname@example.org to allow our users and community enough time to upgrade. Security issues will always take precedence over anything else in the pipeline.