Cookie is persisting in the browser which leads to Session Fixation in ikus060/rdiffweb

Valid

Reported on

Sep 18th 2022


Description

After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation.

Proof of Concept

Checklist

  • [ ] Check cookie before authentication
  • [ ] Check cookie after guest user authentication
  • [ ] Check cookie after admin user authentication
  • [ ] Check cookie after logout
  • [ ] Check cookie after closing the browser
POC : https://drive.google.com/file/d/1nur3xAzgPJB4mgEAyQANVr4f2sOm4HmW/view?usp=sharing

Impact

An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 8 months ago
Ambadi MP modified the report
8 months ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 8 months ago
Patrik Dufresne validated this vulnerability 8 months ago
Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
8 months ago

Maintainer


@admin May you plz assign a CVE

Thanks

Jamie Slome
8 months ago

Admin


Sorted :)

Patrik Dufresne marked this as fixed in 2.4.7 with commit 39e7dc 8 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation