phpipam / Patches / #43 Session Fixation Vulnerability

#43 Session Fixation Vulnerability

Milestone: Unstable_(example)

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2017-05-04

Created: 2017-05-03

Creator: Anonymous

Private: No

The application is vulerable to session fixation attacks, which are exacerbated by the lack of HTTPOnly flag used by the session cookie and the presence of XSS vulnerabilities.

The application does not re-issue session cookies upon a user successfully authenticating. This could allow an attacker to send a user a crafted URL that sets the session cookie (possible due to the presence of potential XSS vulnerabilities). When the user logs in they retain this cookie meaning that the attacker is able to hijack their session because they know the user's valid session ID.

The fix is to have the session ID change when the user logs in.

More details can be found on the OWASP website.

Discussion

Comment has been marked as spam.
Undo

View and moderate all "patches Discussion" comments posted by this user

Mark all as spam, and block user from posting to "Patches"

Anonymous - 2017-05-04

Hi, this is fixed in development release already I believe, could you check ?
https://github.com/phpipam/phpipam

Hi, this is fixed in development release already I believe, could you check ? https://github.com/phpipam/phpipam

Add attachments
Cancel
You seem to have CSS turned off. Please don't fill out this field.

You seem to have CSS turned off. Please don't fill out this field.

New Attachment:

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous
  
  Add attachments
  Cancel
  You seem to have CSS turned off. Please don't fill out this field.
  
  You seem to have CSS turned off. Please don't fill out this field.

Anonymous

Session Fixation Vulnerability

phpipam open-source IP address management

Group

Searches

Help

#43 Session Fixation Vulnerability

Discussion