Session Fixation in pheditor/pheditor
Reported on
Oct 7th 2021
Description
Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update.
Proof of Concept
// PoC
1. Open normal tab and one private tab
2. Open the pheditor on both of them and log in as a user
3. From private tab change the user password and log out.
4. On the normal tab refresh the page and you will see the session is still maintained and you can access the files.
Impact
The session doesn't expire even after the victim changes the password.
Occurrences
For Video POC: https://drive.google.com/file/d/1CyURCv2teZPTl7l1WfPRmy1jM9_Eja2s/view?usp=sharing
@admin why bounty is $5 only i saw $25 before disclosing this issue.
@x3rz - the maintainer now has the ability to choose the reward for reports up to the reward that you see when you disclosed the vulnerability.
:| okay still I don't know why the maintainer set low bounty on this one