pretix

Security release 1.9.1 of pretix

Nov. 25, 2017

Today, we internally found two security vulnerabilities in pretix. We therefore just released versions 1.7.2, 1.8.1, and 1.9.1 of pretix that fix these problems. We strongly recommend that you to update your installation as soon as possible. If you are a customer of our hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: Improper handling of session timeouts [HIGH]

In pretix 1.7, we introduced that sessions expire after 12 hours by default and require re-entering the password after 3 hours of inactivity. Due to a coding mistake, it was possible to bypass the password prompt that occurs when a session is inactive for more than three hours but not yet 12 hours old.

The source of the problem was that in this case the user is redirected to /control/reauth/?next=/previous_url to re-enter the password. However, accessing this URL was deemed to be "session activity" since the user technically still was logged in. Therefore, after this password prompt was loaded, the user was able to access all pages again without entering the password again.

We fixed this problem by stopping to regard visiting this URL as session activity.

Severity rating: As the bug might allow an attacker to use an unguarded device to access a session that is thought to be "locked" by the owner, we assess the severity of this issue as high.

Affected versions: All versions of pretix since 1.7.0 are affected, since session expiry was not around before 1.7.

This issue has been found by us during a code review.

#2: Session timeout is ignored by API endpoints [HIGH]

Our REST API is accessible with custom API tokens, but also with valid user sessions. If that session is expired (see issue #1 above), access to all API endpoints was still possible, as long as the user did not re-load the control web interface after the 12 hours timeout.

Severity rating: As the bug might allow an attacker to use an unguarded device to access a session that is thought to be "locked" by the owner, we assess the severity of this issue as high.

Affected versions: All versions of pretix since 1.7.0 are affected, since session expiry was not around before 1.7.

This issue has been found by us while we fixed bug #1.

Fixed versions

All pretix installations running versions since 1.0.0 are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 1.7, please upgrade it to a recent version now.

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at support@pretix.eu. We will always treat your message with the appropriate priority.

Read more blog posts