Skip to content

Session Reuse After Logout in Feehi CMS 2.1.1 #86

Description

@altamish1994

Description
A session invalidation vulnerability in Feehi CMS version 2.1.1 allows remote attackers to reuse a user's PHPSESSID and identity cookie values even after the legitimate user has logged out. The application fails to destroy or invalidate the session server-side upon logout, enabling an attacker who captures these cookies (via network sniffing, cross-site scripting, or local access) to bypass authentication and gain unauthorized access to the victim’s account.


Proof of Concept (PoC)
Prerequisites
• Feehi CMS 2.1.1 installed and running.
• Two separate browsers or a single browser with cookie editing capability (e.g., Firefox with Cookie-Editor extension).
Steps to Reproduce

  1. Login as normal user
    o Open Browser A → Login to Feehi CMS with any valid user account.
    o Intercept or extract the cookies after login:
     PHPSESSID (e.g., abc123def456)
     identity
Image
  1. Capture cookies before logout (simulating an attacker)
    o Using an attacker-controlled machine or separate browser, import the same PHPSESSID and identity cookie values from Step 1.
    o Example using browser dev tools → Storage → Cookies → Add cookie:
     Name: PHPSESSID, Value: abc123def456
     Name: identity,
Image
  1. Logout properly
    o In Browser A, click the Logout button in the application.
    o Observe: The user is redirected to the login page, but cookies remain stored in the browser.
Image
  1. Reuse cookies after logout
    o Navigate directly to an authenticated page, e.g.:
    http://feehi-host/index.php?r=site/user
    o Result: The attacker is logged in as the original user without being prompted for credentials.
Image
  1. Verify server-side session still active
    o The victim clears their browser cookies or restarts the browser.
    o The attacker’s session remains active, because the server never invalidated the session record in the session table/directory.
Image

Expected Result
Even after the legitimate user logs out, the server continues to accept the same PHPSESSID and identity cookie for authenticated requests. An attacker who obtains these cookies can hijack the user’s account indefinitely (until session timeout, which may be days).


Impact
• Account takeover without credentials.
• Privilege escalation for non-admin users if admin cookies are reused.


Suggested Fix
• On logout session token should be destroyed
• Also manually delete identity cookie by setting expiration time to past
• Regenerate session ID upon login and after any privilege change.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions