제출 #844641: https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Session Fixation정보

제목https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Session Fixation
설명A Session Fixation vulnerability exists in the CET AI Predictive Grading System. After successful authentication, the application writes user data to $_SESSION but never calls session_regenerate_id(true) to issue a new session ID. This allows an attacker who can obtain or plant a known session ID on the victim's browser to inherit the fully authenticated session after the victim logs in, without needing to know the victim's credentials. Vulnerable Code (index.php lines 84-92): $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['name'] = $user['name']; $_SESSION['role'] = $user['role']; $_SESSION['student_id']= $user['student_id'] ?? null; // session_regenerate_id(true) is never called An attacker can fixate a known session ID on the victim's browser and wait for the victim to log in. Since the session ID never changes after authentication, the attacker inherits the fully authenticated session. Steps to Reproduce: 1. Attacker obtains a valid session ID by visiting: http://[host]/PersonalAGS/index.php 2. Attacker plants the known session ID on victim's browser via XSS or network sniffing on HTTP 3. Victim logs in using their credentials 4. Session ID remains unchanged after login 5. Attacker uses the pre-known session ID to access the application as the authenticated victim Extended Attack Scenario: - Combine with the Reflected XSS vulnerability already found in this application to plant the session ID: http://[host]/PersonalAGS/index.php?action= <script>document.cookie='PHPSESSID=attacker_known_id'</script> - Wait for victim to login - Attacker now has full authenticated access as the victim Impact: - Complete account takeover without knowing credentials - Admin, faculty or student account hijacking - Access to all grade records and system functions - Bypasses authentication entirely Affected File: index.php Affected Lines: 84-92 Auth Required: No User Interaction: Required (victim must log in) CWE: CWE-384 CVSS: 6.8 (Medium) 1. Call session_regenerate_id(true) immediately after successful login: if ($user && password_verify($password, $user['password'])) { session_regenerate_id(true); // Add this line $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['name'] = $user['name']; $_SESSION['role'] = $user['role']; $_SESSION['student_id'] = $user['student_id'] ?? null; } 2. Call session_regenerate_id(true) again on logout: session_regenerate_id(true); session_destroy(); 3. Set secure session cookie parameters: session_set_cookie_params([ 'httponly' => true, 'secure' => true, 'samesite' => 'Strict' ]); 4. Implement session expiry and idle timeout: if(isset($_SESSION['last_active']) && (time() - $_SESSION['last_active'] > 1800)) { session_destroy(); header("Location: index.php"); } $_SESSION['last_active'] = time();
원천⚠️ https://cwe.mitre.org/data/definitions/384.html
사용자
 Abhay mp (UID 98542)
제출2026. 06. 01. AM 09:26 (1 월 ago)
모더레이션2026. 07. 03. PM 03:58 (1 month later)
상태수락
VulDB 항목376117 [SourceCodester CET Automated Grading System with AI Predictive Analytics 약한 인증]
포인트들20

Interested in the pricing of exploits?

See the underground prices here!