FirstBlood-#825Vaccination manager doesnt destroy the cookie on logout
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, twsec Level 2 reported:

after logging out from vaccination manager portal it turns out that the cookie wasn't destroyed properly

steps to reproduce:

  1. first we'll try to navigate to portal.php immediately and find out that we cannot.

this image is before we login and notice that there's no cookie set

  1. login normally using the admin and the password and we're redirected to portal.php

  1. now we click on the securely sign out button and we're redirected to home page again

notice now that the cookie value is not present

  1. navigate back to vaccination-manager/login.php

notice that the cookie is back there, so with that navigate to portal.php

and we're in, but if i delete it manually this behavior doesn't happen.

Impact : imagine a lab or hospital using a shared pc, and if the vaccine manager logs out then a non vaccine manager logs in he'll able to access vaccine manager when he's not supposed to.

Note : this is not a browser behavior because i tried this with the doctor login and it didn't happen.

i'm using edge Version 94.0.992.47

P4 Low

Endpoint: /vaccination-manager/portal.php

Parameter: logout

Payload: the cookie value


FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.