[L-5] MaintenanceMiddleware bypass uses unvalidated $_SESSION['user_id']

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: LOW

Location: src/Middleware/MaintenanceMiddleware.php:36-41

Bug: Runs before AuthMiddleware in public-browsing group; fabricated session with matching user_id could bypass maintenance.

Fix: Move it after AuthMiddleware in all groups, or document convenience-only.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:58pm

Resolved.

MaintenanceMiddleware now requires $_SESSION['_auth_validated_at'] in addition to $_SESSION['user_id'] before considering an admin bypass (src/Middleware/MaintenanceMiddleware.php). In public-browsing routes (where AuthMiddleware doesn't run), a fabricated session cookie can no longer cause the maintenance block to skip.

Legitimate admins browsing public pages will still bypass once they've hit any auth-required route and been validated by AuthMiddleware that session — which is already the case when toggling maintenance from the admin panel.

Locking this thread.

Related Discussions

[H-23] AuthMiddleware 60s validation cache bypasses ban/suspension checks
Security Issues · 0 replies · 0 views
Computer rooms in friends' houses
80s / 90s Nostalgia · 0 replies · 3 views
Layer shifts: your top three causes
Printer Troubleshooting · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy