-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pluck 4.7.15 - Session Fixation Vulnerability #99
Comments
Could you perform a retest with the latest dev version?
|
Fixed
Existing
|
Could you perform a retest with the latest dev release? Changes:
I might create a security options page where the session timeout is user manageble. |
Hello, Your changes mitigate the possible damage done by exploiting the original session fixation vulnerability due to expiration of sessions. However, the vulnerability itself (the ability to set arbitrary session IDs) still exists. Your fix makes exploitation of this vastly more difficult as session IDs are regularly regenerated and sessions eventually expire. Due to this, I consider the actual issue resolved as well :) |
Issue Summary
A session-fixation vulnerability exists within Pluck's administrative login system which can be abused to retain a valid login session even after an administrator has changed their password.
Detailed Description
It is possible to arbitrarily set the session ID of Pluck's "PHPSESSID" cookie. This cookie is used for maintaining administrative login sessions. This can be used in a session-fixation attack, for example, to sustain unauthorized access to the CMS after already gaining it through a primary vulnerability. Furthermore, Pluck does not expire sessions in a timely manner nor are sessions bound in any other way. This also allows an easier brute force attack, as it is possible to brute-force session IDs without rate-limits imposed by the normal login process.
Reproduction Steps
From Google Chrome, open the developer tools menu, navigate to: Application > Storage -> Cookies -> <PLUCK_DOMAIN>
Change the value of the "PHPSESSID" cookkie to an arbitrary value, such as "wolf".
Login to the pluck administrative panel, by visiting <PLUCK_DOMAIN>/login.php and login to the panel.
On a new browser, repeat steps 1 and 2.
On step 3, you will be given access without being prompted for administrative credentials.
Impact
After any primary exploit has occurred, the session fixation attack can be used in order to sustained unauthorized access. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.
The text was updated successfully, but these errors were encountered: