Cookie is persisting in the browser which leads to Session Fixation in ikus060/rdiffweb

Valid

Reported on

Sep 18th 2022


Description

After logging in and logging out, the application continues to use the preauthentication cookies. The cookies are same after closing the browser and after password change .And also same cookies are reassigning for another user's login which can leads to session fixation.

Proof of Concept

Checklist

  • [ ] Check cookie before authentication
  • [ ] Check cookie after guest user authentication
  • [ ] Check cookie after admin user authentication
  • [ ] Check cookie after logout
  • [ ] Check cookie after closing the browser
POC : https://drive.google.com/file/d/1nur3xAzgPJB4mgEAyQANVr4f2sOm4HmW/view?usp=sharing

Impact

An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 5 days ago
Ambadi MP modified the report
5 days ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 4 days ago
Patrik Dufresne validated this vulnerability 4 days ago
Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
2 days ago

Maintainer


@admin May you plz assign a CVE

Thanks

Jamie Slome
a day ago

Admin


Sorted :)

Patrik Dufresne confirmed that a fix has been merged on 39e7dc a day ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation