Description

The application does not generate a new PHPSESSID cookie after the user authenticates successfully. A malicious user is able to create a new session cookie value and injects it to a victim pre-authenticaiton. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user’s account through the active session.

Proof of Concept

1. Navigate to the login page
2. check the PHPSESSID value
3. Login to the application and notice that the PHPSESSID value has not changed / refreshed. Logout of the application
4. Open a new browser session, and navigate to the login page. Please be sure that you are using a different browser with no saved cookie history
5. Now, on one of the browsers changes the PHPSESSID cookie value to “Test” hit enter, and login. You have now effectively assigned the value “Test” as your session cookie
6. In the other browser simply change the PHPSESSID cookie value to “Test” hit enter, and refresh the page
7. You have now gained access to an account that you do not own

Video Proof of Concept

It is important to note that in the following video I am using two different browsers, Firefox and Google Chromium

Video POC

Mitigation

Regenerate PHPSESSID cookie value after authentication. You can do this by using

sess_regenerate()