Bug #4457
Updated by Dominic Cleal over 10 years ago
*PRIVATE, EMBARGOED BUG: CVE-2014-0090*
Description
Since new session id is not generated every time users log in, authentication can be bypassed through session fixation attacks in the situation where attackers are able to fixate another user's session id. Once users log in with the session id, attackers could also access the whole site with the user's privilege.
Severity: Medium
Affected URLs
http://$foreman/users/login
Steps
At host A, get a new session_id by accessing /users/login with any existing cookie removed.
At host B, access /users/login through http proxy. Intercept a request and delete Cookie header if exists. Intercept its response and
modify _session_id in Set-cookie header with the one got in host A.
At host B, access /users/login and verify if the injected _session_id is using in Cookie header.
At host B, log in with admin(or any user) account.
At Host A, verify if the session is considered as authenticated.
Result
User at host A can access the application bypassing authentication
Remedy advice
The session ID should be always changed when users log in.
Reference
https://www.owasp.org/index.php/Session_fixation