FirstBlood-#840All user information is leaked due to unexpired cookies
This issue was discovered on FirstBlood v2



On 2021-10-29, axe Level 4 reported:

Steps

  1. using the administrator user, click test. and capture the packet with BURP

  2. Get /drpanel/drapi/query.php?aptid=56911356 path and reservation information

    1. Record the current administrator's cookie: drps=39c1032de7c76a3b74f6d7e40

  3. Log out of the admin user and log in to the regular user Jam. click test and find that you need admin privileges to access

    1. Note: After logging out of your account, the cookie should expire and cannot be reused!!!

  4. Using a normal user, Jam, accessing the /drpanel/drapi/query.php?aptid=56911356 path, I found that access failed.

    1. Replace your own cookie with the administrator's cookie. drps=f733b8e5b69462f6a72723515 -> drps=39c1032de7c76a3b74f6d7e40 -> Access successful!!!

Vulnerability Exploitation

  1. Blast the last three digits of the aptid parameter value 56911356. All users' sensitive information can be obtained

Impact

  1. Because the cookie is still valid after exit, the attacker can reuse the cookie, for example, to access sensitive information with this cookie.

Suggestions for fixing

  1. Cookies should be set for a valid period.

  2. Cookies should expire immediately after the user logs out and should no longer be used!!!

P3 Medium

Endpoint: /drpanel/drapi/query.php

Parameter: aptid

Payload: 56911356


FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.