FirstBlood-#774No session invalidation after logout on vaccine-portal
This issue was discovered on FirstBlood v2

On 2021-10-28, newrouge Level 3 reported:

Hey i found that vaccine portal doesn't invalidate sessions after logging out from application.

(i am not sure whether it's even a bug or not on event, jut to make sure i am reporting this p5)

  • Navigate to the https:/

    • Login with the valid credentials , and now your are on portal.php.

    • Click on Logout, close the current tab and open a new tab and paste the Below URL

    Even after logging out from the vaccine portal previously ,we can still see all the details as logged in user.

Thank you


P4 Low

Endpoint: /vaccination-manager/portal.php

Parameter: N/A

Payload: vaccine_manager cookie

FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.