session data not checked for application scope

if you have multiple vtigers on a host (or any PHP code on the host that can write session data) you can get past the authentication of a vtiger instance. Log in to one, and you are logged into the other with the same userid even if the passwords don't match.

suggest changing line 39 of includes/main/WebUI.php to be something like: if ($userid && vglobal('application_unique_key')==$_SESSION['app_unique_key']) { however there might be better ways of securing this.

@alanbell Thanks for notifying, We will check and get back to you.

can't reproduce the issue on my server with 3 vTiger instance, all using ISRG let's encrypt SSL.

are they all using paths under the same hostname, so running in the same apache vhost?

@alanbell No, I'm using subdomain so there is one vhost for each instance. I misunderstood because you talk about a host (which is a physical server for me).

Session cookie path plays vital role in such setup. Having it configured right is important. This can be achieved through .htaccess or session_set_cookie_params

Refer: http://stackoverflow.com/a/9885543

Why not do both? This was actually spotted when having a test vtiger instance on the same server so they had http://vtigerhost/ as the main thing and http://vtigerhost/training as a sandbox copy of the main site for user training and messing about with imports. In this instance the cookie path would only solve half the problem because the main one would have a path of / which would cover the /training path too.

+1 for the suggested change. I have the scenario as Alan all the time: http://vtigerhost/ and http://vtigerhost/training

mentioned in merge request !54 (merged)

added the merge request, as mentioned it might be best to do this in several other ways too, but this is a useful validation step anyway and requires no special configuration other than setting the app unique key to something unique if you have multiple instances under the same URL scope.

Status changed to closed by commit 6bd94956