Bug #4457

Updated by Dominic Cleal over 6 years ago

*PRIVATE, EMBARGOED BUG: CVE-2014-0090* awaiting CVE reference*

Since new session id is not generated every time users log in, authentication can be bypassed through session fixation attacks in the situation where attackers are able to fixate another user's session id. Once users log in with the session id, attackers could also access the whole site with the user's privilege.

Severity: Medium

Affected URLs

At host A, get a new session_id by accessing /users/login with any existing cookie removed.
At host B, access /users/login through http proxy. Intercept a request and delete Cookie header if exists. Intercept its response and
modify _session_id in Set-cookie header with the one got in host A.
At host B, access /users/login and verify if the injected _session_id is using in Cookie header.
At host B, log in with admin(or any user) account.
At Host A, verify if the session is considered as authenticated.

User at host A can access the application bypassing authentication

Remedy advice
The session ID should be always changed when users log in.