FirstBlood-#774No session invalidation after logout on vaccine-portal
This issue was discovered on FirstBlood v2 (issues patched)



On 2021-10-28, newrouge Level 3 reported:

Hey i found that vaccine portal doesn't invalidate sessions after logging out from application.

(i am not sure whether it's even a bug or not on event, jut to make sure i am reporting this p5)

  • Navigate to the https:/firstbloodhackers.com/vaccination-manager/login.php

    • Login with the valid credentials , and now your are on portal.php.

    • Click on Logout, close the current tab and open a new tab and paste the Below URL

      https://firstbloodhackers.com/vaccination-manager/portal.php

    Even after logging out from the vaccine portal previously ,we can still see all the details as logged in user.

Thank you

newrouge

P4 Low

Endpoint: /vaccination-manager/portal.php

Parameter: N/A

Payload: vaccine_manager cookie


FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.