Session Fixation in pheditor/pheditor


Reported on

Oct 2nd 2021


PHPEditor session are not regenerated after every login leading to possible session fixation attacks (local attack vector)

Proof of Concept

1. Open two browsers (Browser 1: Attacker, Browser 2: Victim)
2. Visit https://[PHP-EDITOR]/phpeditor.php server and copy cookie from Browser 1
3. Paste the cookie from Browser 1 in Browser 2.
4. Login in Browser 2.
5. Refresh Browser 1 to see that you have successfully logged in


Attackers can trick users by pasting their own cookies into a browser first in a shared computer without logging in. When the victim logs in, the attacker's cookies are now authenticated and they can login as user.

Recommended Fix

Regenerate session cookies after login

We have contacted a member of the pheditor team and are waiting to hear back 2 years ago
Hamid Samak validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed with commit 15d7f5 2 years ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation