Session Fixation Vulnerability in alextselegidis/easyappointments
Mar 15th 2023
It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new ea_session cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
The vulnerability also allows privilege escalation where the current user is able to privilege escalate to admin user if they are able inject their session cookie and let admin login using the cookie. Since the application allows concurrent login, the admin user will not aware their session already been taking over.
Proof of Concept
Browse to the login page and login using a normal user account.
Noticed if the ea_session cookie already exist in the HTTP request header, the application will not regenerate a new one. The application will reuse the session cookie that are being set in HTTP request header.
After login successfully, note down the ea_session cookie.
Open a new browser and set the ea_session cookie that was being recorded previously and login using admin account.
After login successfully, go back to the normal user account browser and refresh the page. Noticed the normal user now has been privilege to admin user.
Now both admin account can concurrently using the application without being notified
Allows the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.
Hi, I think it has been quite a while since the bug last reported. Have we gotten any feedback from the author yet? Thanks.
Hi, as I understood you will be filling the CVE for this vulnerability, since our company is one of the CNA, would you be able to file with us instead? If you decided to file by your own, would you mind to include our company advisory as part of the CVE reference? Thanks.