Session Fixation in pheditor/pheditor

Valid

Reported on

Oct 7th 2021

Description

Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update.

Proof of Concept

// PoC
1. Open normal tab and one private tab 
2. Open the pheditor on both of them and log in as a user
3. From private tab change the user password and log out.
4. On the normal tab refresh the page and you will see the session is still maintained and you can access the files.

Impact

The session doesn't expire even after the victim changes the password.

We have contacted a member of the pheditor team and are waiting to hear back 19 days ago
We have contacted a member of the pheditor team and are waiting to hear back 19 days ago
x3rz
19 days ago

Researcher

For Video POC: https://drive.google.com/file/d/1CyURCv2teZPTl7l1WfPRmy1jM9_Eja2s/view?usp=sharing

Hamid Samak validated this vulnerability 19 days ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on d550d0 19 days ago
Hamid Samak has been awarded the fix bounty
pheditor.php#L356-L378 has been validated
x3rz
19 days ago

Researcher

@admin why bounty is $5 only i saw $25 before disclosing this issue.

Jamie Slome
19 days ago

Admin

@x3rz - the maintainer now has the ability to choose the reward for reports up to the reward that you see when you disclosed the vulnerability.

x3rz
19 days ago

Researcher

:| okay still I don't know why the maintainer set low bounty on this one