Insufficient Session Expiration in firefly-iii/firefly-iii

Valid

Reported on

Feb 19th 2023


Description

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.

Proof of Concept

1- After I login with demo user, I checked the value the expiration fo firefly_session, the value should be "session", not a fixed date and time. 

Please check the reference pic 


# Impact

An attacker can steal or hijack unexpired sessions to bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.

References

We are processing your report and will contact the firefly-iii team within 24 hours. 3 months ago
We have contacted a member of the firefly-iii team and are waiting to hear back 3 months ago
James Cole validated this vulnerability 3 months ago
Waad Albayyali has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
James Cole marked this as fixed in 6 with commit 68f398 3 months ago
James Cole has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 1st 2023
flashes.twig#L18-L91 has been validated
Waad Albayyali
2 months ago

Researcher


Dear James, Is there a way to receive the vulnerability before 1st of April?

James Cole published this vulnerability a month ago
to join this conversation