Session Fixation Vulnerability in /loginc.php
Opened this issue · 0 comments
Deleted user commented
/loginc.php
if (!session_id()) {
session_start();
}
...
...
$username = $_POST['name'];
$password = $_POST['password'];
$res = login($username, $password);
switch ($res) {
case 0:
echo 1;
break;
case 1:
$_SESSION['login'] = true;
$_SESSION['username'] = htmlspecialchars($username);
$_SESSION['password'] = md5_128($password);
echo 2;
break;
default:
echo 0;
break;
}
We can see that even after we successfully logged in, the system does not regenerate a new session_id.
Note that this Session Fixation Vulnerability could easily be exploited with the help of any XSS Vulnerability in the same domain, eg. XSS Vulnerability in /readfile.php, as there is no Http-Only flag.
<script>
document.cookie="session_name=session";
document.cookie="session=HACKED";
</script>
Once the victim logged in with the session cookie above, then the attacker could take full control of the victim's account using the same cookie.