Invia #844641: https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Session Fixationinformazioni

Titolohttps://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Session Fixation
DescrizioneA Session Fixation vulnerability exists in the CET AI Predictive Grading System. After successful authentication, the application writes user data to $_SESSION but never calls session_regenerate_id(true) to issue a new session ID. This allows an attacker who can obtain or plant a known session ID on the victim's browser to inherit the fully authenticated session after the victim logs in, without needing to know the victim's credentials. Vulnerable Code (index.php lines 84-92): $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['name'] = $user['name']; $_SESSION['role'] = $user['role']; $_SESSION['student_id']= $user['student_id'] ?? null; // session_regenerate_id(true) is never called An attacker can fixate a known session ID on the victim's browser and wait for the victim to log in. Since the session ID never changes after authentication, the attacker inherits the fully authenticated session. Steps to Reproduce: 1. Attacker obtains a valid session ID by visiting: http://[host]/PersonalAGS/index.php 2. Attacker plants the known session ID on victim's browser via XSS or network sniffing on HTTP 3. Victim logs in using their credentials 4. Session ID remains unchanged after login 5. Attacker uses the pre-known session ID to access the application as the authenticated victim Extended Attack Scenario: - Combine with the Reflected XSS vulnerability already found in this application to plant the session ID: http://[host]/PersonalAGS/index.php?action= <script>document.cookie='PHPSESSID=attacker_known_id'</script> - Wait for victim to login - Attacker now has full authenticated access as the victim Impact: - Complete account takeover without knowing credentials - Admin, faculty or student account hijacking - Access to all grade records and system functions - Bypasses authentication entirely Affected File: index.php Affected Lines: 84-92 Auth Required: No User Interaction: Required (victim must log in) CWE: CWE-384 CVSS: 6.8 (Medium) 1. Call session_regenerate_id(true) immediately after successful login: if ($user && password_verify($password, $user['password'])) { session_regenerate_id(true); // Add this line $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['name'] = $user['name']; $_SESSION['role'] = $user['role']; $_SESSION['student_id'] = $user['student_id'] ?? null; } 2. Call session_regenerate_id(true) again on logout: session_regenerate_id(true); session_destroy(); 3. Set secure session cookie parameters: session_set_cookie_params([ 'httponly' => true, 'secure' => true, 'samesite' => 'Strict' ]); 4. Implement session expiry and idle timeout: if(isset($_SESSION['last_active']) && (time() - $_SESSION['last_active'] > 1800)) { session_destroy(); header("Location: index.php"); } $_SESSION['last_active'] = time();
Fonte⚠️ https://cwe.mitre.org/data/definitions/384.html
Utente
 Abhay mp (UID 98542)
Sottomissione01/06/2026 09:26 (1 mese fa)
Moderazione03/07/2026 15:58 (1 month later)
StatoAccettato
Voce VulDB376117 [SourceCodester CET Automated Grading System with AI Predictive Analytics autenticazione debole]
Punti20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!