Insufficient Session Expiration because of lacking of cache check in admidio/admidio
Reported on
Jul 21st 2023
Description
The web application's session management system suffers from an "Insufficient Session Expiration" vulnerability due to the lack of proper cache check. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.
Proof of Concept
Step 1. Log in to the application with a valid user account. Step 2. Access the application's sensitive areas or functionalities. Step 3. Log out of the application. Step 4. Log in again Step 4. Attempt to access the application using the same session before logging out Step 5. Observe that the old session remains active and accessible, allowing access without requiring re-authentication.
Impact
- Unauthorized Access: Attackers can exploit this flaw to gain unauthorized access to user accounts, sensitive information, and functionalities associated with active sessions.
- Session Hijacking: Malicious actors can use old or captured session IDs to impersonate legitimate users, leading to session hijacking and subsequent misuse of the user's privileges.
- Data Exposure: As old sessions remain active, sensitive user data and application resources are at risk of exposure to unauthorized individuals.
- Identity Theft: The vulnerability facilitates identity theft, enabling attackers to perform actions on behalf of legitimate users.
Could you please describe which data you get from that old session? We delete the user reference in that session and also all user data.
Thank for reply. Sorry for lacking of information, this is my first report. With old session, it is still possible to send message or email without revalidation.
Pic1: Send message with new session after logging in
Pic2: Send message with old session. The status is 200 and sent message successfully.
I think it is enough to proof that the session still valid. Please tell me if you need something else. Thank you so much!
I checked your report and I could not validate the issue. If you logout internally all user data is deleted and also the user rights.
Within your test you must be sure that you send an email to a role that doesn't accept "email send" from public. Did you consider that?
Ok, I do some more testing and now I can reproduce the problem.
Thank you so much. Did you fix this issue? I have just re-tested and the issue still exist. I think we need some more check (ex: check cache) to ensure the old session is completely destroyed.
Did you test it at our demo system? This was not updated.
I just updated it now, so you can retest there.
Thanks for the update. The fix works. Is there any bug bounty for this report? I do not know how and when the researcher can be awarded the bug bounty.
The bounty value is nothing I have to do with. But as you can view in the head data for this report, there is no bounty for disclosure or fix :-(
But you credibility increased :-) "The researcher's credibility has increased: +7 "
Yah, i see. What about the CVE? Can you ping admin to assign a CVE for this report? Thank you so much.
I have already requested a CVE. But I set the publish date to mid August because I want to wait until I released a new version of Admidio.
After that you got the CVE automatically.
Yup, thanks for nice support. Have a good day! This will be my first CVE :-))