BSteelooper
commented
3 years ago Could you perform a retest with the latest dev version?
- Password change invalidates session
- logoff invalidates session
- no timer implemented yet
Closed naiagoesawoo closed 3 years ago
BSteelooper
commented
3 years ago Could you perform a retest with the latest dev version?
naiagoesawoo
commented
3 years ago Fixed
Existing
BSteelooper
commented
3 years ago Could you perform a retest with the latest dev release?
Changes:
I might create a security options page where the session timeout is user manageble.
naiagoesawoo
commented
3 years ago Hello,
Your changes mitigate the possible damage done by exploiting the original session fixation vulnerability due to expiration of sessions. However, the vulnerability itself (the ability to set arbitrary session IDs) still exists. Your fix makes exploitation of this vastly more difficult as session IDs are regularly regenerated and sessions eventually expire.
Due to this, I consider the actual issue resolved as well :)
Issue Summary A session-fixation vulnerability exists within Pluck's administrative login system which can be abused to retain a valid login session even after an administrator has changed their password.
Detailed Description It is possible to arbitrarily set the session ID of Pluck's "PHPSESSID" cookie. This cookie is used for maintaining administrative login sessions. This can be used in a session-fixation attack, for example, to sustain unauthorized access to the CMS after already gaining it through a primary vulnerability. Furthermore, Pluck does not expire sessions in a timely manner nor are sessions bound in any other way. This also allows an easier brute force attack, as it is possible to brute-force session IDs without rate-limits imposed by the normal login process.
Reproduction Steps
From Google Chrome, open the developer tools menu, navigate to: Application > Storage -> Cookies ->
Change the value of the "PHPSESSID" cookkie to an arbitrary value, such as "wolf".
Login to the pluck administrative panel, by visiting/login.php and login to the panel.
On a new browser, repeat steps 1 and 2.
On step 3, you will be given access without being prompted for administrative credentials.
Impact After any primary exploit has occurred, the session fixation attack can be used in order to sustained unauthorized access. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.