Session Fixation in slackero/phpwcms


Reported on

Aug 31st 2021

✍️ Description

A malicious actor with access to the computer is able to reveal the loaded site's actual PHPSESSID value. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer.

🕵️‍♂️ Proof of Concept

  • Open the site's login.php, by browsing the https://[SERVERADDRESS]/login.php
  • Obtain the PHPSESSID value
  • Initiate a valid login
  • View the PHPSESSID value again

💥 Impact

Upon successful attack, the malicious actor is able to hijack even the administrator's session, what causes total compromise of the application's functionality.


We have contacted a member of the slackero/phpwcms team and are waiting to hear back 2 years ago
Oliver Georgi validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Oliver Georgi marked this as fixed with commit 0b2389 2 years ago
Oliver Georgi has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation