CMS preview channel session not immediately invalidated when CMS user logs out 

Issue date: 31-10-2016
Affects versions: 10.2, 10.1, 10.0, 7.9

Issue id: SECURITY-23
 

Affected Product Version(s)
This vulnerability applies to CMS 7.9.14, CMS 10.2.2 and earlier versions

Severity 

Normal

Description

A security researcher at a customer revealed a security vulnerability within the Hippo CMS authoring environment.
Important to mention is that this vulnerability does not concern the delivery tier, e.g. websites managed and rendered through Hippo.

The security vulnerability concerns access to the preview content based on the credentials of a previously logged in CMS user, on the same  computer and the same browser window. After the CMS user logs out, the preview content is still accessible without need to login again, until the default preview channel session time-out.

Hippo classifies this as a low risk vulnerability as it requires access to the same computer and a still not closed browser window by a malicious user to be able to see potentially classified content.

Upgrade instructions

Hippo has implemented a fix for this vulnerability across all supported versions and has provided new maintenance releases to be able to upgrade and close this vulnerability in your implementation of Hippo.

The solution to this vulnerability requires no changes to the Hippo based projects themselves other than upgrading to the latest Hippo maintenance release CMS 11.0.x, CMS 10.2.3 or CMS 7.9.15.

However part of the solution required us to change the way the CMS Authoring application integrates the Channel preview access to the Delivery Tier.

When running a cluster of Hippo CMS authoring instances, it is therefore important to check the new load balancing requirements which as result have become more specific as of these latest releases.