Insufficient Session Expiration in janeczku/calibre-webValid
Jul 21st 2021
The app does not expire the user's session after the logout. It is possible to continue using the session even when the user has logged out.
🕵️♂️ Proof of Concept
1. Login as a user at /login. 2. Select logout, intercepting and copying the user's cookie. 3. After this logout, send a new request to /me with the copied cookies. 4. See that is still possible to get information from the site.
logout_user() at line 1575 from the file
web.py does not expire the session properly.
This could allow potential unwanted actions. If the account is compromised in some way (e.g, someone stole the cookies, accessed the browser, etc), a malicious actor could do actions in name of the user even when he has been logged out.