Session Fixation in pheditor/pheditor


Reported on

Oct 7th 2021


Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update.

Proof of Concept

// PoC
1. Open normal tab and one private tab 
2. Open the pheditor on both of them and log in as a user
3. From private tab change the user password and log out.
4. On the normal tab refresh the page and you will see the session is still maintained and you can access the files.


The session doesn't expire even after the victim changes the password.

We have contacted a member of the pheditor team and are waiting to hear back 2 years ago
2 years ago


For Video POC:

Hamid Samak validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed with commit d550d0 2 years ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
pheditor.php#L356-L378 has been validated
2 years ago


@admin why bounty is $5 only i saw $25 before disclosing this issue.

Jamie Slome
2 years ago


@x3rz - the maintainer now has the ability to choose the reward for reports up to the reward that you see when you disclosed the vulnerability.

2 years ago


:| okay still I don't know why the maintainer set low bounty on this one

to join this conversation