Session Fixation in filegator/filegator
Reported on
Jul 1st 2021
✍️ Description
the password reset function is vulnerable to session fixation bug, it's a small low hanging bug
🕵️♂️ Proof of Concept
open filegator and login with similar accounts in multiple browsers. change the password of the user in one browser and reload the other login session. we can see that the old session persists even after changing the password. similar issue reference : monica
💥 Impact
the session didn't expire even after changing the password
Occurrences
Hey b3ef, I've just emailed the maintainer and am waiting to hear back. Good job!
Hey b3ef, please ignore the above message.
Since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking for a way to responsibly disclose this vulnerability. Once they provide this information, I will contact them for you. Good job!
Thanks! Fixed with https://github.com/filegator/filegator/commit/a66cba349b7fb91c5dec9b87745f830c8e2b66f0 and https://github.com/filegator/filegator/commit/0de9e6c895ba3baa668daef7218dd9638ae5b07c
@Milos - you should now have the permissions under your account to confirm the fix!
Cheers!
@Milos - it looks like there was an issue in confirming the fix, are you able to try again?
Apologies for this!
No, the Confirm fix button is now disabled :/