Session Fixation in projectsend/projectsend
Jul 29th 2021
Project Send contains a Session Fixation Vulnerability. This vulnerability is one that can allow an attacker to fixate (find or set) another person’s session identifier. This most commonly happens when session tokens are now refreshed or renewed when they should be. It looks like the PHPSESSID cookie which is used for session management is not refreshed upon successful login, or log out.
Project send is not refreshing the session token upon a successful login resulting in this vulnerability. The rule of session tokens is that they should be renewed after any privilege level change ex: authenticating.
🕵️♂️ Proof of Concept
Step 1: Visit the page and observe the PHPSESSID being set. Step 2: Login and notice no new PHPSESSID is set. Step 3: Refresh the dashboard.php page and notice that the PHPSESSID is the same value as observed in Step 1.
The impact of this issue could result in sessions-hijacking and attackers stealing user data as they would be able to fixate session id's and potentially log in as the affected users.