| Título | https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Session Fixation |
|---|
| Descripción | A Session Fixation vulnerability exists in the CET AI Predictive
Grading System. After successful authentication, the application
writes user data to $_SESSION but never calls session_regenerate_id(true)
to issue a new session ID. This allows an attacker who can obtain or
plant a known session ID on the victim's browser to inherit the fully
authenticated session after the victim logs in, without needing to
know the victim's credentials.
Vulnerable Code (index.php lines 84-92):
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['name'] = $user['name'];
$_SESSION['role'] = $user['role'];
$_SESSION['student_id']= $user['student_id'] ?? null;
// session_regenerate_id(true) is never called
An attacker can fixate a known session ID on the victim's browser
and wait for the victim to log in. Since the session ID never
changes after authentication, the attacker inherits the fully
authenticated session.
Steps to Reproduce:
1. Attacker obtains a valid session ID by visiting:
http://[host]/PersonalAGS/index.php
2. Attacker plants the known session ID on victim's browser
via XSS or network sniffing on HTTP
3. Victim logs in using their credentials
4. Session ID remains unchanged after login
5. Attacker uses the pre-known session ID to access
the application as the authenticated victim
Extended Attack Scenario:
- Combine with the Reflected XSS vulnerability already
found in this application to plant the session ID:
http://[host]/PersonalAGS/index.php?action=
<script>document.cookie='PHPSESSID=attacker_known_id'</script>
- Wait for victim to login
- Attacker now has full authenticated access as the victim
Impact:
- Complete account takeover without knowing credentials
- Admin, faculty or student account hijacking
- Access to all grade records and system functions
- Bypasses authentication entirely
Affected File: index.php
Affected Lines: 84-92
Auth Required: No
User Interaction: Required (victim must log in)
CWE: CWE-384
CVSS: 6.8 (Medium)
1. Call session_regenerate_id(true) immediately after
successful login:
if ($user && password_verify($password, $user['password'])) {
session_regenerate_id(true); // Add this line
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['name'] = $user['name'];
$_SESSION['role'] = $user['role'];
$_SESSION['student_id'] = $user['student_id'] ?? null;
}
2. Call session_regenerate_id(true) again on logout:
session_regenerate_id(true);
session_destroy();
3. Set secure session cookie parameters:
session_set_cookie_params([
'httponly' => true,
'secure' => true,
'samesite' => 'Strict'
]);
4. Implement session expiry and idle timeout:
if(isset($_SESSION['last_active']) &&
(time() - $_SESSION['last_active'] > 1800)) {
session_destroy();
header("Location: index.php");
}
$_SESSION['last_active'] = time(); |
|---|
| Fuente | ⚠️ https://cwe.mitre.org/data/definitions/384.html |
|---|
| Usuario | Abhay mp (UID 98542) |
|---|
| Sumisión | 2026-06-01 09:26 (hace 1 mes) |
|---|
| Moderación | 2026-07-03 15:58 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 376117 [SourceCodester CET Automated Grading System with AI Predictive Analytics autenticación débil] |
|---|
| Puntos | 20 |
|---|