Session Fixation in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Jun 19th 2021


✍️ Description

Application does not destroy session cookie after log out. An attacker can use the old cookie of any user to to manipulate application data even after log out.

🕵️‍♂️ Proof of Concept

1. Login to the application and copy the session cookie from the request.
2. Now logout from the application.
3. Now use the same cookie to perform any critical action in the application. Application will still accept the old cookie.

💥 Impact

If an attacker got any cookie by any mean then they can use those cookie to manipulate the application data on their behalf even if user change the password or logout the application.

References

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 5 months ago
Amir validated this vulnerability 2 months ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on 8a995d 7 days ago
Amir has been awarded the fix bounty
Session.php#L49-L177 has been validated