Session Fixation Vulnerability in fossbilling/fossbilling
Jun 14th 2023
The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
Proof of Concept
- Navigate to the login page
- check the PHPSESSID value
- Login to the application and notice that the PHPSESSID value has not changed / refreshed. Logout of the application
- Open a new browser session, and navigate to the login page. Please be sure that you are using a different browser with no saved cookie history
- Now, on one of the browsers changes the PHPSESSID cookie value to "Test" hit enter, and login. You have now effectively assigned the value "Test" as your session cookie
- In the other browser simply change the PHPSESSID cookie value to "Test" hit enter, and refresh the page
- You have now gained access to an account that you do not own
Video Proof of Concept
It is important to note that in the following video I am using two different browsers, Firefox and Google Chromium
Regenerate PHPSESSID cookie value after authentication. You can do this by using
Results in full account takeover of the victim's account. Depending on the level of privileges of the account, this could result in the ability to look and/or modify sensitive data.