Session Fixation in slackero/phpwcms

Valid

Reported on

Aug 31st 2021


✍️ Description

A malicious actor with access to the computer is able to reveal the loaded site's actual PHPSESSID value. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer.

🕵️‍♂️ Proof of Concept

  • Open the site's login.php, by browsing the https://[SERVERADDRESS]/login.php
  • Obtain the PHPSESSID value
  • Initiate a valid login
  • View the PHPSESSID value again

💥 Impact

Upon successful attack, the malicious actor is able to hijack even the administrator's session, what causes total compromise of the application's functionality.

Occurences

We have contacted a member of the slackero/phpwcms team and are waiting to hear back 3 months ago
Oliver Georgi validated this vulnerability 3 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Oliver Georgi confirmed that a fix has been merged on 0b2389 3 months ago
Oliver Georgi has been awarded the fix bounty