We released OpenProject 7.0.3. This release contains an import security fix regarding the session expiry that is detailed below.
We strongly recommend the update to the current version if you have activated the session expiry functionality of OpenProject.
OpenProject can be configured to expire sessions after a certain amount of inactivity on the session. The setting and time interval can be configured in the Authentication tab of the system settings.
The session authentication scheme for the APIv3, used in the majority of the angular-driven OpenProject work packages module, did not correctly check this setting and in turn, the setting did not matter for API session-based authentication. Users were able to use session for changes to work packages even past their allotted lifetime as long as the user did not leave the open work package module page. However, requests that and trigger a page refresh (e.g., visiting other modules or refreshing the page manually) cause the session to invalidate properly.
With this malfunction, an adversary hijacking an open session through whatever means could use it indefinitely for requests against the APIv3, as long as the owner of the session did not invalidate it through some page-refreshing request.
This security issue has been discovered by Mohamed A. Baset from Seekurity SAS de C.V and was disclosed to us yesterday evening. Thank you the elaborate report and for disclosing this directly to us. It is very much appreciated.
We take security very seriously at OpenProject. We value any kind of feedback that will keep our community secure. If you happen to come across a security issue we urge you to disclose it to us privately at email@example.com to allow our users and community enough time to upgrade. Security issues will always take precedence over anything else in the pipeline.
Bug fixes (7)
- Boolean custom fields were set to true when copying a work package with such a field activated. (#25494)
- Filtering for boolean custom fields did not function properly. (#25570)
- The names of work packages have been escaped needlessly in the relations autocompleter. (#25534)
- The height of the query dropdown no longer exceeds the total available space when lots of queries are saved. (#25572)
- Bulk deleting work packages across more than one project failed with an error. (#25569)
- Removed an unnecessary horizontal scrollbar in the query dropdown. (#25593)
- Path parameters of the repository view are now preserved when the user needed to pass through the login screen first. (#25586)
Thanks a lot to the community, in particular to Peter F, Jochen Gehlbach and Ole Odendahl for reporting bugs!
For further information on the release, please refer to the GitHub changelog.