FirstBlood-#825 — Vaccination manager doesnt destroy the cookie on logout
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, twsec Level 2 reported:
after logging out from vaccination manager portal it turns out that the cookie wasn't destroyed properly
steps to reproduce:
- first we'll try to navigate to portal.php immediately and find out that we cannot.
this image is before we login and notice that there's no cookie set
- login normally using the admin and the password and we're redirected to portal.php
- now we click on the securely sign out button and we're redirected to home page again
notice now that the cookie value is not present
- navigate back to vaccination-manager/login.php
notice that the cookie is back there, so with that navigate to portal.php
and we're in, but if i delete it manually this behavior doesn't happen.
Impact : imagine a lab or hospital using a shared pc, and if the vaccine manager logs out then a non vaccine manager logs in he'll able to access vaccine manager when he's not supposed to.
Note : this is not a browser behavior because i tried this with the doctor login and it didn't happen.
i'm using edge Version 94.0.992.47
the cookie value
FirstBlood ID: 43
Vulnerability Type: Application/Business Logic
The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.