Insufficient Session Expiration in octoprint/octoprint
Aug 16th 2022
Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization.
Proof of Concept
Steps to reproduce
1- Login into http://127.0.0.1:5000/login/ (OctoPrint).
2- Open browser in the incognito tab or open another browser and login with the same user.
3- In step 1 change the password and login again.
4- In step 2 the old session is still valid, it must expire.
An attacker can use old session credentials or session IDs for authorization.