Session Fixation Vulnerability in /loginc.php

Question

Session Fixation Vulnerability in /loginc.php

Opened this issue 7 years ago · 0 comments

/loginc.php

if (!session_id()) {
    session_start();
}
...
...
$username = $_POST['name'];
$password = $_POST['password'];
$res = login($username, $password);
switch ($res) {
    case 0:
        echo 1;
    break;

    case 1:
        $_SESSION['login'] = true;
        $_SESSION['username'] = htmlspecialchars($username);
        $_SESSION['password'] = md5_128($password);
        echo 2;
    break;

    default:
        echo 0;
    break;
}

We can see that even after we successfully logged in, the system does not regenerate a new session_id.
Note that this Session Fixation Vulnerability could easily be exploited with the help of any XSS Vulnerability in the same domain, eg. XSS Vulnerability in /readfile.php, as there is no Http-Only flag.

<script>
document.cookie="session_name=session";
document.cookie="session=HACKED";
</script>

Once the victim logged in with the session cookie above, then the attacker could take full control of the victim's account using the same cookie.