Session Fixation in in froxlor/froxlor


Reported on

Jan 30th 2023


The session ID not rotating even after relogin


1. Change the PHPSESSID=newsessionchanged and then login
2. Use the same session into new browser and as you can see logged into the account
3. you can try logout and login again the PHPSESSID doesn't change.

Video POC:


This can be exploited if there is another bug like HTTP Response Splitting. Also easy to exploit if attacker modify or note the cookie before login.

We are processing your report and will contact the froxlor team within 24 hours. 8 months ago
We have contacted a member of the froxlor team and are waiting to hear back 8 months ago
froxlor/froxlor maintainer has acknowledged this report 8 months ago
7 months ago


Any update on this?

Michael Kaufmann validated this vulnerability 3 months ago
Dinesh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.1.0 with commit 94d9c3 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Michael Kaufmann published this vulnerability 3 months ago
to join this conversation