Session Fixation in pheditor/pheditorValid
Oct 7th 2021
Session Fixation vulnerability found in pheditor in which it doesn't expire the sessions after password update.
Proof of Concept
// PoC 1. Open normal tab and one private tab 2. Open the pheditor on both of them and log in as a user 3. From private tab change the user password and log out. 4. On the normal tab refresh the page and you will see the session is still maintained and you can access the files.
The session doesn't expire even after the victim changes the password.