From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Dqz6=EW=gmail.com=asadali.282821@sourceware.org>
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930])
	by sourceware.org (Postfix) with ESMTPS id 291F13858C66
	for <cygwin@cygwin.com>; Wed,  6 Sep 2023 22:20:46 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 291F13858C66
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-ua1-x930.google.com with SMTP id a1e0cc1a2514c-7a02252eb5dso91124241.1
        for <cygwin@cygwin.com>; Wed, 06 Sep 2023 15:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694038845; x=1694643645; darn=cygwin.com;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=gQQWeir5RpypoEXsQVuTUn0k56KEDZWHFCP8eq1DDPg=;
        b=LOYEcxGEiYChzH/2GRnNqXzcoS6kFivMVwdgiCkMC/gLyys/s/xX20lzjzlqfwKB5X
         v1HzAaxaJLAqHbHQcRArhyjh0Y34n7NrVnNBAr6ji3PHbffzPM7l8IDJFR2uKE+9GrWR
         TADKriCX0tXPc6OwlRhZf3JJgvZb+GlnhLRgUBVqWzE93Gnt01iFqsjQE7PbqGJuxglX
         Bc18Y2cQXDLy89WO1ezR7+v0x7KQBfjTbGAFCwqLzijWmz3tCmVl7TN331Rk2uTmX/TS
         4ngmFIQ8umquYwm1J0MHXOvCrDg5rdloHs5SKb7WFvVGmhn8YuB+M+wxtU7u59R6QZ9B
         8LTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1694038845; x=1694643645;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=gQQWeir5RpypoEXsQVuTUn0k56KEDZWHFCP8eq1DDPg=;
        b=JWaGu3QRuAge5vwxu+FhTiPlw4GxjveK9QQzvwHaRQPt7Jk/9p0A9p4feD8nQFjKh5
         94Gace0uf17c6K8K4eGH7nMLwaaLy0dTiv7+s49HpdfbrSzgHfZgCegE+HRTiJovAb20
         sSnZIr65R6Tg2X0Pb/IqgitUNmFC6MZD/BaNHJHZs+gvxYwGUgHRF9snRWYcMy2w4N0c
         OUJGZddzGpEPWJPH/JJT4dJkrxEbHBfXtex87S2yL71Sh9rvyezbJuxmPuHMKOay7085
         Y63DCeMV/AhhvC2TEfpJoQf2NjbZ7VSbxT8IbxhN3ZcRJIILymAiPAEiwPZZ0qplZnsp
         H8Gw==
X-Gm-Message-State: AOJu0Yx83olCyWnLe1A7S5QZ5idwN+qNAhNsfWtWnpLBychj1I9gQcmk
	bPMkCdoPFkknEghWmNseWBTiFMT/02GXmlLzdy4h8bCtOWalnA==
X-Google-Smtp-Source: AGHT+IH7NA9F2IZEqBiVQ7YRwFigoa5FZxp8/uRl0oTkxnpdATwMCrZ2IVytjcxxcg1KoU77L/YGzQoq8YRB9DiITyo=
X-Received: by 2002:a05:6102:518:b0:44e:8874:585a with SMTP id
 l24-20020a056102051800b0044e8874585amr3667803vsa.27.1694038845015; Wed, 06
 Sep 2023 15:20:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg@mail.gmail.com>
In-Reply-To: <CAJVfQ_gj3N5+j+NpJytcYqMnMVMj-_p=EuLKsZ7BwnYWNRMgJg@mail.gmail.com>
From: Asad Ali <asadali.282821@gmail.com>
Date: Thu, 7 Sep 2023 03:20:33 +0500
Message-ID: <CAJVfQ_h8Roac9HoqbJNEe_C-iRPu1GjBaSvV2v+v_CQor0H5cA@mail.gmail.com>
Subject: Re: bug report
To: cygwin@cygwin.com
Content-Type: multipart/alternative; boundary="00000000000097cc660604b8270a"
X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin.cygwin.com>

--00000000000097cc660604b8270a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Team,

Is there any update on this ? I'm hoping to receive a reward for the
reported bug.

Waiting for your response.

On Fri, Dec 30, 2022 at 5:46=E2=80=AFAM Asad Ali <asadali.282821@gmail.com>=
 wrote:

> Hey Team,
>
>
>
> I'm a penetration tester and bug bounty hunter. I have found a potential
> vulnerability in the site. Please review the report below.
>
>
>
> Vulnerability: Broken Authentication & Session Management
> We have observed that when we change "password" from one browser in place
> of session expiration from another browser it just updates the password
> from another browser and the old session gets updated without being logged
> out. The flows goes like this:
> Broken Authentication and Session Management > Failure to Invalidate
> Session > On Password Change
> Steps:
>
> 1- Login from two browsers at a time [From Chrome browser and from Mozilla
> Firefox].
>
> 2- Change password in settings from chrome browser.
>
> 3- Now Check Mozilla Firefox.
>
> 4- Your Session got "updated" in place of expiration.
>
>
>
>
> Same goes with when using two different computer systems.
>
> 1- Login from two computers at a time
>
> 2- Change password in settings from computer A.
>
> 3- Now Check computer B.
> 4- Your Session got "updated" in place of expiration.
>
> Recommendations: If Session is Updating from one Browser/Computer so other
> should expire first to renew session after login.
>
>
>
> If you require any additional information, please let me know. I'll be
> waiting to hear from your side regarding the report and bounty.
>

--00000000000097cc660604b8270a--