Session Fixation in agentejo/cockpit


Reported on

Sep 4th 2021

✍️ Description

A malicious actor with access to the computer is able to reveal the loaded site's actual session identifier value from the stored cookie. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer.

🕵️‍♂️ Proof of Concept

  • 1; Open the website, in incognito mode, to make sure, you don't have any live sesion.

  • 2; Obtain the session identifier value from the cookie

  • 3; Initiate a login with a valid user

  • 4; Obtain the session identifier value again from the cookie

The value is the same before and after the login.

💥 Impact

Upon successful attack, the malicious actor is able to hijack the user's session, what causes total compromise of the target's account.

We created a GitHub Issue asking the maintainers to create a 2 years ago
2 years ago


Hey gergelykis, I'm just contacted the repo maintainer for you.

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 2 years ago
Artur validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Artur marked this as fixed with commit 0c6628 2 years ago
Artur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation