session hijack in first run wizard
Already reported to debian security team.
When entering the first run wizard passphrase, other web-sessions can continue the run wizard without being asked for the first run wizard passphrase.
To reproduce:
- apt install freedombox and keep all defaults
- Open first run wizard on machine A
- Enter the first run wizard passphrase
- Open first run wizard on machine B
Expected:
Session is invalid; wizard asks for passphrase again
Actual result:
First run wizard continues with step 2, allowing creation of arbitrary admin account
I have attached a patch that can fix this bug. Thanks to @natureshadow for mentoring me.