Insufficient Session Expiration in firefly-iii/firefly-iii
Valid
Reported on
Feb 19th 2023
Description
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.
Proof of Concept
1- After I login with demo user, I checked the value the expiration fo firefly_session, the value should be "session", not a fixed date and time.
Please check the reference pic
# Impact
An attacker can steal or hijack unexpired sessions to bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.
Occurrences
References
We are processing your report and will contact the
firefly-iii
team within 24 hours.
3 months ago
We have contacted a member of the
firefly-iii
team and are waiting to hear back
3 months ago
The researcher's credibility has increased: +7
James Cole
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Apr 1st 2023
flashes.twig#L18-L91
has been validated
Dear James, Is there a way to receive the vulnerability before 1st of April?
to join this conversation