Meeting Room Booking System Cookie Password Disclosure

2005-04-22T04:40:31
ID OSVDB:15886
Type osvdb
Reporter John Beranek(jberanek@users.sourceforge.net)
Modified 2005-04-22T04:40:31

Description

Vulnerability Description

Meeting Room Booking System contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text passwords stored is session cookies, which are not deleted when the user logs out. This may lead to a loss of confidentiality.

Solution Description

Upgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. With the upgrade, session_cookie.inc now deletes the cookie when the user logs out, and the user password is no longer stored in a cookie.

Short Description

Meeting Room Booking System contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text passwords stored is session cookies, which are not deleted when the user logs out. This may lead to a loss of confidentiality.

References:

Vendor URL: http://mrbs.sourceforge.net/ Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=322439