Hi Hammad, there’s no bounty and there never will be, this is open source project run by volunteers, so thank you for reporting this and contributing to the PHP project.
Ondrej -- Ondřej Surý <ond...@sury.org> (He/Him) > On 9. 2. 2023, at 22:51, Hammad khan <hammadkhan88...@gmail.com> wrote: > > > Hey Team, > > I'm a penetration tester and bug bounty hunter. I have found a potential > vulnerability in the site. Please review the report below. > > Vulnerability: Broken Authentication & Session Management > We have observed that when we change "password" from one browser in place of > session expiration from another browser it just updates the password from > another browser and the old session gets updated without being logged out. > The flows goes like this: > Broken Authentication and Session Management > Failure to Invalidate Session > > On Password Change > Steps: > 1- Login from two browsers at a time [From Chrome browser and from Mozilla > Firefox]. > 2- Change password in settings from chrome browser. > 3- Now Check Mozilla Firefox. > 4- Your Session got "updated" in place of expiration. > > Same goes with when using two different computer systems. > 1- Login from two computers at a time > 2- Change password in settings from computer A. > 3- Now Check computer B. > 4- Your Session got "updated" in place of expiration. > > Recommendations: If Session is Updating from one Browser/Computer so other > should expire first to renew session after login. > > If you require any additional information, please let me know. I'll be > waiting to hear from your side regarding the report and bounty. > > -- > Regards, > Hammad -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
