Session Fixation in alovoa/alovoa

Valid

Reported on

Jul 19th 2021


✍️ Description

When a logged in user changes his password, the session does not expire after the update.

🕵️‍♂️ Proof of Concept

// PasswordController.java does not expire or force to logout the user after the update.
@PostMapping(value = "/change", consumes = "application/json")
public void changePassword(@RequestBody PasswordChangeDto dto)
throws AlovoaException {
passwordService.changePassword(dto); //the user changes the password and still active in the platform.
}

Steps to see it clearer:

  1. Open a new session in a private window.
  2. Select the option Change password in the original session.
  3. Now, in both sessions is possible to interact with the website without have previously been logged out. The private session (can be the attacker's) can be used even when the victim has changed his password.

💥 Impact

This vulnerability allows an attacker to keep the compromised account active despite the password was changed by the real owner of the account. Consider a logout for the user after the update and ask him to login again.

We have contacted a member of the alovoa team and are waiting to hear back 4 months ago
Nho Quy Dinh validated this vulnerability 4 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh confirmed that a fix has been merged on d4be21 4 months ago
Nho Quy Dinh has been awarded the fix bounty
Ileana Barrionuevo modified their report
4 months ago