Session Fixation in pheditor/pheditor


Reported on

Oct 2nd 2021


PHPEditor session are not regenerated after every login leading to possible session fixation attacks (local attack vector)

Proof of Concept

1. Open two browsers (Browser 1: Attacker, Browser 2: Victim)
2. Visit https://[PHP-EDITOR]/phpeditor.php server and copy cookie from Browser 1
3. Paste the cookie from Browser 1 in Browser 2.
4. Login in Browser 2.
5. Refresh Browser 1 to see that you have successfully logged in


Attackers can trick users by pasting their own cookies into a browser first in a shared computer without logging in. When the victim logs in, the attacker's cookies are now authenticated and they can login as user.

Recommended Fix

Regenerate session cookies after login

We have contacted a member of the pheditor team and are waiting to hear back a year ago
Hamid Samak validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on 15d7f5 a year ago
Hamid Samak has been awarded the fix bounty
to join this conversation