Session Fixation in pheditor/pheditor

Valid

Reported on

Oct 2nd 2021


Description

PHPEditor session are not regenerated after every login leading to possible session fixation attacks (local attack vector)

Proof of Concept

1. Open two browsers (Browser 1: Attacker, Browser 2: Victim)
2. Visit https://[PHP-EDITOR]/phpeditor.php server and copy cookie from Browser 1
3. Paste the cookie from Browser 1 in Browser 2.
4. Login in Browser 2.
5. Refresh Browser 1 to see that you have successfully logged in

Impact

Attackers can trick users by pasting their own cookies into a browser first in a shared computer without logging in. When the victim logs in, the attacker's cookies are now authenticated and they can login as user.

Recommended Fix

Regenerate session cookies after login

We have contacted a member of the pheditor team and are waiting to hear back 25 days ago
Hamid Samak validated this vulnerability 23 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on 15d7f5 23 days ago
Hamid Samak has been awarded the fix bounty