Session is still valid after changing password in fossbilling/fossbilling
Jul 11th 2023
The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by the attacker.
Proof of Concept
1 - Log in to 2 different computers
2 - At a computer, perform a password change.
3 - Result: On the other logged in computer, it can still be used normally.
Image POC: https://drive.google.com/drive/folders/1A0uciV3z0in1qpEkhCT49P_9QAWN3IUx?usp=sharing
Disable sessions in both client and server after user changes password
Once the session is taken over by an attacker, there is no way to destroy that session even if you change the password.