zoneminder icon indicating copy to clipboard operation
zoneminder copied to clipboard

Published 20 hours ago verified publisher icon ZoneMinder

Improper Session Management - Session Fixation

Open Loginsoft-Research opened this issue 6 years ago • 3 comments
trafficstars

Describe Your Environment

  • ZoneMinder v1.33.1
  • Installed from - ppa:iconnor/zoneminder-master

Describe the bug Before any response being rendered on the web page, a cookie is being set as part of response via Set-Cookie header.Currently due to improper implementation, multiple cookies (3-5) are being set when a user successfully logs in, which isn't an expected behavior.Now when the next user logs into the application using the same browser, the last user's last cookie is being set as the present user's first cookie.

To Reproduce

  • Login into the application, capture the response (Live HTTP header addon for firefox)

  • Multiple Set-Cookie headers will be present in the response

Exploitation

Actors-

  • User A (Victim)
  • User B (Attacker)
  1. User B logs into the application, captures his own Cookies & logs out.

User B's cookie : Set-Cookie: ZMSESSID=rrnilufc9vgb3cp0l2m7cqrc91; path=/; HttpOnly Set-Cookie: ZMSESSID=blkta1mgocj5ksqdg5ncpdptg3; path=/; HttpOnly Set-Cookie: ZMSESSID=blkta1mgocj5ksqdg5ncpdptg3; path=/; HttpOnly Set-Cookie: ZMSESSID=blkta1mgocj5ksqdg5ncpdptg3; path=/; HttpOnly Set-Cookie: ZMSESSID=p79d4mk2g6sm5qi6o51ep6j6m5; path=/; HttpOnly - Common to User A's First cookie

  1. User A Uses the same browser & log into the application.

User A's cookie - Set-Cookie: ZMSESSID=p79d4mk2g6sm5qi6o51ep6j6m5; path=/; HttpOnly - Common to User B's Last cookie

Set-Cookie: ZMSESSID=2397j5pchtgt153ukrmutgbmv1; path=/; HttpOnly Set-Cookie: ZMSESSID=2397j5pchtgt153ukrmutgbmv1; path=/; HttpOnly Set-Cookie: ZMSESSID=2397j5pchtgt153ukrmutgbmv1; path=/; HttpOnly Set-Cookie: ZMSESSID=eg5hvsn3i67n34fibt5nq7lbu6; path=/; HttpOnly

  1. User B uses User A's Last cookie to hijack the User B's session (locally/remotely)

Expected behavior

  • Only set single cookie the user & invalidate the same once user logs out of the application.

Debug Logs


None

Loginsoft-Research avatar Jan 24 '19 21:01 Loginsoft-Research

the issue was assigned CVE-2019-7350. Any plans to commit a fix?

tamir-ben avatar Mar 01 '21 14:03 tamir-ben

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 07:04 stale[bot]

When is this high-priority CVE planned to be resolved?

synthead avatar Dec 19 '23 04:12 synthead