Session Fixation in pheditor/pheditor

Valid

Reported on

Oct 7th 2021

Description

Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update.

Proof of Concept

// PoC
1. Open normal tab and one private tab 
2. Open the pheditor on both of them and log in as a user
3. From private tab change the user password and log out.
4. On the normal tab refresh the page and you will see the session is still maintained and you can access the files.

Impact

The session doesn't expire even after the victim changes the password.

We have contacted a member of the pheditor team and are waiting to hear back 2 years ago
x3rz
2 years ago

Researcher

For Video POC: https://drive.google.com/file/d/1CyURCv2teZPTl7l1WfPRmy1jM9_Eja2s/view?usp=sharing

Hamid Samak validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed with commit d550d0 2 years ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
pheditor.php#L356-L378 has been validated
x3rz
2 years ago

Researcher

@admin why bounty is $5 only i saw $25 before disclosing this issue.

Jamie Slome
2 years ago

Admin

@x3rz - the maintainer now has the ability to choose the reward for reports up to the reward that you see when you disclosed the vulnerability.

x3rz
2 years ago

Researcher

:| okay still I don't know why the maintainer set low bounty on this one

to join this conversation