FirstBlood-#774 — No session invalidation after logout on vaccine-portal
This issue was discovered on FirstBlood v2 (issues patched)
On 2021-10-28, newrouge Level 3 reported:
Hey i found that vaccine portal doesn't invalidate sessions after logging out from application.
(i am not sure whether it's even a bug or not on event, jut to make sure i am reporting this p5)
Navigate to the
Login with the valid credentials , and now your are on portal.php.
Click on Logout, close the current tab and open a new tab and paste the Below URL
Even after logging out from the vaccine portal previously ,we can still see all the details as logged in user.
FirstBlood ID: 43
Vulnerability Type: Application/Business Logic
The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.