silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled
If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.1.19-rc1 | 3.1.20 |
|
silverstripe / framework
|
3.2.4-rc1 | 3.2.5 |
|
silverstripe / framework
|
3.3.2-rc1 | 3.3.3 |
|
silverstripe / framework
|
3.4.0-rc1 | 3.4.1 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-014-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/1c7d5de51bcdf16ebb21c5a0ebe5fe9e31f9a822
- https://github.com/silverstripe/silverstripe-framework/commit/b1f449762b5d11658b11d5036d5ae361a95fd61e
- https://github.com/silverstripe/silverstripe-framework/commit/d1163d87b70e3e147f22a1e423b9f70f6fd85e8f
- https://github.com/silverstripe/silverstripe-framework/commit/fa7f5af8618a83c865b11fd6cc981ad9661046e6
- https://www.silverstripe.org/download/security-releases/ss-2016-014
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime