Session Fixation in projectsend/projectsend


Reported on

Jul 29th 2021

✍️ Description

Project Send contains a Session Fixation Vulnerability. This vulnerability is one that can allow an attacker to fixate (find or set) another person’s session identifier. This most commonly happens when session tokens are now refreshed or renewed when they should be. It looks like the PHPSESSID cookie which is used for session management is not refreshed upon successful login, or log out.

Project send is not refreshing the session token upon a successful login resulting in this vulnerability. The rule of session tokens is that they should be renewed after any privilege level change ex: authenticating.

🕵️‍♂️ Proof of Concept

Step 1: Visit the page and observe the PHPSESSID being set. Step 2: Login and notice no new PHPSESSID is set. Step 3: Refresh the dashboard.php page and notice that the PHPSESSID is the same value as observed in Step 1.

💥 Impact

The impact of this issue could result in sessions-hijacking and attackers stealing user data as they would be able to fixate session id's and potentially log in as the affected users.

We have contacted a member of the projectsend team and are waiting to hear back 4 months ago
Ignacio Nelson validated this vulnerability 4 months ago
oddysseus1 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson confirmed that a fix has been merged on 86b3a9 4 months ago
Ignacio Nelson has been awarded the fix bounty