Description
The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user’s account through the active session.
Proof of Concept
- Navigate to the login page
- check the PHPSESSID value
- Login to the application and notice that the PHPSESSID value has not changed / refreshed. Logout of the application
- Open a new browser session, and navigate to the login page. Please be sure that you are using a different browser with no saved cookie history
- Now, on one of the browsers changes the PHPSESSID cookie value to “Test” hit enter, and login. You have now effectively assigned the value “Test” as your session cookie
- In the other browser simply change the PHPSESSID cookie value to “Test” hit enter, and refresh the page
- You have now gained access to an account that you do not own
Video Proof of Concept
It is important to note that in the following video I am using two different browsers, Firefox and Google Chromium
Video POC
Mitigation
Regenerate PHPSESSID cookie value after authentication. You can do this by using
sess_regenerate()