Session Fixation in slackero/phpwcms


Reported on

Aug 31st 2021

✍️ Description

A malicious actor with access to the computer is able to reveal the loaded site's actual PHPSESSID value. Since upon login, this value does not change, the attacker can gain access via session hijacking, when the target logs in on the compromised computer.

🕵️‍♂️ Proof of Concept

  • Open the site's login.php, by browsing the https://[SERVERADDRESS]/login.php
  • Obtain the PHPSESSID value
  • Initiate a valid login
  • View the PHPSESSID value again

💥 Impact

Upon successful attack, the malicious actor is able to hijack even the administrator's session, what causes total compromise of the application's functionality.


We have contacted a member of the slackero/phpwcms team and are waiting to hear back a year ago
Oliver Georgi validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Oliver Georgi confirmed that a fix has been merged on 0b2389 a year ago
Oliver Georgi has been awarded the fix bounty
to join this conversation