Session is still valid after changing password in fossbilling/fossbilling

Valid

Reported on

Jul 11th 2023

Description

The application does not delete the old login session on the server side after changing the password. This poses a risk when a user uses a public computer and an attacker captures the login session. Even if the user has changed the password, the login session is still taken over by the attacker.

Proof of Concept

1 - Log in to 2 different computers

2 - At a computer, perform a password change.

3 - Result: On the other logged in computer, it can still be used normally.

Image POC: https://drive.google.com/drive/folders/1A0uciV3z0in1qpEkhCT49P_9QAWN3IUx?usp=sharing

Solution

Disable sessions in both client and server after user changes password

Impact

Once the session is taken over by an attacker, there is no way to destroy that session even if you change the password.

We are processing your report and will contact the fossbilling team within 24 hours. 2 months ago

Phạm Đăng Chính modified the report

2 months ago

We have contacted a member of the fossbilling team and are waiting to hear back 2 months ago

Belle Aerni validated this vulnerability 2 months ago

Phạm Đăng Chính has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Belle Aerni

commented 2 months ago

Maintainer

Fixed by this PR: https://github.com/FOSSBilling/FOSSBilling/pull/1435

Belle Aerni marked this as fixed in 0.5.5 with commit 20c23b 2 months ago

Belle Aerni has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 31st 2023

Belle Aerni published this vulnerability 2 months ago

to join this conversation