Project

General

Profile

Actions

Bug #4457

closed

CVE-2014-0090 - Session fixation, new session IDs are not generated on login

Added by Dominic Cleal over 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Description
Since new session id is not generated every time users log in, authentication can be bypassed through session fixation attacks in the situation where attackers are able to fixate another user's session id. Once users log in with the session id, attackers could also access the whole site with the user's privilege.

Severity: Medium

Affected URLs
http://$foreman/users/login

Steps
At host A, get a new session_id by accessing /users/login with any existing cookie removed.
At host B, access /users/login through http proxy. Intercept a request and delete Cookie header if exists. Intercept its response and
modify _session_id in Set-cookie header with the one got in host A.
At host B, access /users/login and verify if the injected _session_id is using in Cookie header.
At host B, log in with admin(or any user) account.
At Host A, verify if the session is considered as authenticated.

Result
User at host A can access the application bypassing authentication

Remedy advice
The session ID should be always changed when users log in.

Reference
https://www.owasp.org/index.php/Session_fixation


Files


Related issues 1 (0 open1 closed)

Related to Foreman - Refactor #23875: Remove login doesn't escalate privileges testClosedLukas Zapletal06/11/2018Actions
Actions

Also available in: Atom PDF