Description

It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new ea_session cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

The vulnerability also allows privilege escalation where the current user is able to privilege escalate to admin user if they are able inject their session cookie and let admin login using the cookie. Since the application allows concurrent login, the admin user will not aware their session already been taking over.

Proof of Concept

1. Browse to the login page and login using a normal user account.

2. Noticed if the ea_session cookie already exist in the HTTP request header, the application will not regenerate a new one. The application will reuse the session cookie that are being set in HTTP request header.

3. After login successfully, note down the ea_session cookie.

4. Open a new browser and set the ea_session cookie that was being recorded previously and login using admin account.

5. After login successfully, go back to the normal user account browser and refresh the page. Noticed the normal user now has been privilege to admin user.

6. Now both admin account can concurrently using the application without being notified

Impact

Allows the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.