Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session Fixation in CuppaCMS #8

Open
prasadlingamaiah opened this issue Jun 16, 2020 · 1 comment
Open

Session Fixation in CuppaCMS #8

prasadlingamaiah opened this issue Jun 16, 2020 · 1 comment

Comments

@prasadlingamaiah
Copy link

Cuppa CMS is prone to a session fixation attack.
Description: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.

Steps to Reproduce:

  1. Access the cuppa cms login page using the http://127.0.0.1:880/cuppa_cms/administrator/
  2. Enter the wrong username and password to generate dummy session tokens
  3. Copy the non-authenticated session tokens and insert it into another browser(chrome) in the victim machine.
  4. Enter the valid credential to log in to the application.
  5. Once you login to the application go back to the attacker browser and refresh the URL.
  6. An attacker is able to access the victim session successfully.

Session Values Before Login: Attacker Machine
firefox before login1

Session Values Before Login: Victim Machine
chrome before login

Session token once fix the victim Machine
chrome session token fixed

Session Values after Login: Victim Machine
chrome after auth

Session Values for the attacker - Just refresh the browser
firefox sucess

Mitigation:
The application should always first invalidate the existing session ID before authenticating a user, and if the authentication is successful, provide another session.

@prasadlingamaiah prasadlingamaiah changed the title Session Fixation - Cuppa CMS Session Fixation in CuppaCMS Jun 16, 2020
@prasadlingamaiah
Copy link
Author

any updates on this vulnerability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant