Session Fixation Vulnerability in fossbilling/fossbilling


Reported on

Jun 14th 2023


The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

Proof of Concept

  1. Navigate to the login page
  2. check the PHPSESSID value
  3. Login to the application and notice that the PHPSESSID value has not changed / refreshed. Logout of the application
  4. Open a new browser session, and navigate to the login page. Please be sure that you are using a different browser with no saved cookie history
  5. Now, on one of the browsers changes the PHPSESSID cookie value to "Test" hit enter, and login. You have now effectively assigned the value "Test" as your session cookie
  6. In the other browser simply change the PHPSESSID cookie value to "Test" hit enter, and refresh the page
  7. You have now gained access to an account that you do not own

Video Proof of Concept

It is important to note that in the following video I am using two different browsers, Firefox and Google Chromium

Video POC


Regenerate PHPSESSID cookie value after authentication. You can do this by using



Results in full account takeover of the victim's account. Depending on the level of privileges of the account, this could result in the ability to look and/or modify sensitive data.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
M0ck3d modified the report
3 months ago
Belle Aerni modified the Severity from High (8.8) to High (8.1) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Thank you for the report! I'm going to improve our session management and get this resolved

M0ck3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
3 months ago


My Pleasure ! Would it be possible to assign a CVE ?

Belle Aerni
3 months ago


Once we have a patch created and it's fixed, I'll be publishing the report with a CVE, yes

3 months ago


Thank you so much ! Additionally, I really appreciate the prompt verification and responses. Really blew my mind that you verified the issue the same day I reported it.

Belle Aerni gave praise 3 months ago
You're welcome. It's important that security issues are resolved in a timely manner, and we know that researchers can sometimes spend a considerable amount of time discovering them. So thank you as well :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Belle Aerni
3 months ago


Hello, This pull request resolves this report by regenerating the session IDs when logging in and it also adds some additional features, such as a simply fingerprinting method to help ensure sessions are only being by the right person :)

Belle Aerni marked this as fixed in 0.5.1 with commit b9c35a 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
Admin.php#L84-L101 has been validated
Guest.php#L118-L153 has been validated
Belle Aerni published this vulnerability 3 months ago
to join this conversation