Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session Management Issue in Administrations Tab #444

Open
nikhil1232 opened this issue May 22, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@nikhil1232
Copy link

commented May 22, 2018

Session Management Issue in Administrations Tab

link: http://localhost/monstra/admin/index.php?id=users&action=edit&user_id=1

You need two browsers for exploitation
1)Go to users settings in both the browsers
2)update your password in one browser and click on save
3)Now move to other browser and try to add some information like name and all.

i.e it is not asking for reauthentication after password change..

The other browser doesnt log you out because of password change..Thus an attacker can edit any information...
If an attacker had already logged in once..No matter how many times the victim changes his password,
the attacker would be able to access the victim's account.

Refer to owasp for session management

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.