Session Fixation in filegator/filegator

Valid
Reported on Jul 1st 2021

✍️ Description

the password reset function is vulnerable to session fixation bug, it's a small low hanging bug

🕵️‍♂️ Proof of Concept

open filegator and login with similar accounts in multiple browsers. change the password of the user in one browser and reload the other login session. we can see that the old session persists even after changing the password. similar issue reference : monica

💥 Impact

the session didn't expire even after changing the password

Ziding Zhang
25 days ago

Admin


Hey b3ef, I've just emailed the maintainer and am waiting to hear back. Good job!

Ziding Zhang
25 days ago

Admin


Hey b3ef, please ignore the above message.

Since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking for a way to responsibly disclose this vulnerability. Once they provide this information, I will contact them for you. Good job!

We have contacted a member of the filegator team and are waiting to hear back 25 days ago
We have contacted a member of the filegator team and are waiting to hear back 25 days ago
filegator/filegator maintainer validated this vulnerability 21 days ago
Ajmal Aboobacker has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Milos
21 days ago

Maintainer


Thanks! Fixed with https://github.com/filegator/filegator/commit/a66cba349b7fb91c5dec9b87745f830c8e2b66f0 and https://github.com/filegator/filegator/commit/0de9e6c895ba3baa668daef7218dd9638ae5b07c

Jamie Slome
20 days ago

Admin


@Milos - you should now have the permissions under your account to confirm the fix!

Cheers!

Jamie Slome
20 days ago

Admin


@Milos - it looks like there was an issue in confirming the fix, are you able to try again?

Apologies for this!

Milos
20 days ago

Maintainer


No, the Confirm fix button is now disabled :/

Jamie Slome
20 days ago

Admin


Apologies, refresh and try once more?

Milos Stojanovic confirmed that a fix has been merged on 0de9e6 20 days ago
Milos Stojanovic has been awarded the fix bounty
$6.25