Summary
The login page does not invalidate existing session identifiers, instead, it accepts and validates any session identifier stored in the browser. After the user logs in, they are authenticated, and the session identifier becomes valid. A remote attacker can then use the same session identifier to access the victim's web panel. In this case, this vulnerability allows remote attackers to set a session identifier when HSTS is disabled in the victim's browser.
Details
Without invalidating any existing session identifier on login page, it will validate existing session identifier in browser, and it could give an attacker the opportunity when HSTS is not set. Just you need to set your PHPSESSID on browser before login, it'll validate session identifier. This testing strategy is targeted at network attackers; hence it only needs to be applied to sites without full HSTS adoption.
PoC
While you are in login page on mailcow web panel, just change PHPSESSID to a every random string that you want and submit your username and password. you will see that it won't invalidated existing PHPSESSID and your string will be validated, it only needs to be applied to sites without full HSTS adoption.
POST / HTTP/1.1
Host: demo.mailcow.email
Cookie: PHPSESSID= EVERY RANDOM STRING YOU WANT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.mailcow.email/
Content-Type: application/x-www-form-urlencoded
Content-Length: 110
Origin: https://demo.mailcow.email
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
login_user=admin&pass_user=whoohoo
Then you can see your random string in PHPSESSID is validated.
Impact
- A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
- An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
Useful links:
For more information:
@MortazaviM
MortazaviM Finder
Summary
The login page does not invalidate existing session identifiers, instead, it accepts and validates any session identifier stored in the browser. After the user logs in, they are authenticated, and the session identifier becomes valid. A remote attacker can then use the same session identifier to access the victim's web panel. In this case, this vulnerability allows remote attackers to set a session identifier when HSTS is disabled in the victim's browser.
Details
Without invalidating any existing session identifier on login page, it will validate existing session identifier in browser, and it could give an attacker the opportunity when HSTS is not set. Just you need to set your PHPSESSID on browser before login, it'll validate session identifier. This testing strategy is targeted at network attackers; hence it only needs to be applied to sites without full HSTS adoption.
PoC
While you are in login page on mailcow web panel, just change PHPSESSID to a every random string that you want and submit your username and password. you will see that it won't invalidated existing PHPSESSID and your string will be validated, it only needs to be applied to sites without full HSTS adoption.
Then you can see your random string in PHPSESSID is validated.
Impact
Useful links:
For more information:
@MortazaviM