Session Fixation in projectsend/projectsend

Valid

Reported on

Jul 29th 2021

✍️ Description

Project Send contains a Session Fixation Vulnerability. This vulnerability is one that can allow an attacker to fixate (find or set) another person’s session identifier. This most commonly happens when session tokens are now refreshed or renewed when they should be. It looks like the PHPSESSID cookie which is used for session management is not refreshed upon successful login, or log out.

Project send is not refreshing the session token upon a successful login resulting in this vulnerability. The rule of session tokens is that they should be renewed after any privilege level change ex: authenticating.

🕵️‍♂️ Proof of Concept

Step 1: Visit the page and observe the PHPSESSID being set. Step 2: Login and notice no new PHPSESSID is set. Step 3: Refresh the dashboard.php page and notice that the PHPSESSID is the same value as observed in Step 1.

💥 Impact

The impact of this issue could result in sessions-hijacking and attackers stealing user data as they would be able to fixate session id's and potentially log in as the affected users.

Occurrences

We have contacted a member of the projectsend team and are waiting to hear back 2 years ago
Ignacio Nelson validated this vulnerability 2 years ago
oddysseus1 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson marked this as fixed with commit 86b3a9 2 years ago
Ignacio Nelson has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation