Skip to content

Instantly share code, notes, and snippets.

@captain-noob

captain-noob/CVE-2023-31498.md

Last active May 9, 2023 19:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save captain-noob/aff11542477ddd0a92ad8b94ec75f832 to your computer and use it in GitHub Desktop.
Save captain-noob/aff11542477ddd0a92ad8b94ec75f832 to your computer and use it in GitHub Desktop.
Download ZIP
Session hijacking leading to privilege escalation
Raw
CVE-2023-31498.md

CVE-2023-31498 - Session hijacking leading to privilege escalation

Author: captain-noob
Vendor: PHPGurukul (https://phpgurukul.com/)
Software: Hospital Management System In PHP(https://phpgurukul.com/hospital-management-system-in-php)

Description

The Hospital Management System (HMS) allows users to register as patients and provides separate logins for doctors and admins. However, the system does not have proper session management in place, making it vulnerable to session hijacking. An attacker can register as a patient and obtain a valid session token. With this token, the attacker can then access the Doctor and Admin panels without any authentication credentials. This vulnerability can be exploited to perform privilege escalation, enabling the attacker to access sensitive areas of the system beyond their intended privileges.

Impact

An attacker can exploit this vulnerability to gain unauthorized access to sensitive areas of the system, such as patient records or administrative functions. This could potentially result in a data breach or other serious security incidents

Proof of Concept:

1. Install The Hospital Management System 
2. Navigate to the Patient Login page (http://<domain:port>/hms/user-login.php). 
3. Click on create an account and register a patient  (http://<domain:port>/hms/registration.php)
4. Once patient is created, navigate to login page and login with the credientials.
5. After successuful login Navigate to Doctor dashboard (http://<domain:port>/hms/doctor/dashboard.php). Observe that without any authentication credientials attacker got access to doctor dashboard.
6.Similarly, try to access the Admin dashboard at http://domain:port/hms/admin/dashboard.php. Again, note that the attacker is able to access the dashboard without any admin credentials.

Remediation

The system should implement proper session management to prevent session hijacking and privilege escalation. Specifically, the system should assign a specific role to each user upon registration and verify the role before allowing access to sensitive areas of the system. Additionally, the system should implement a mechanism to invalidate sessions upon logout or after a period of inactivity.

For example, you could use the following code to set the role of the user upon login:

// login as a patient
$_SESSION['role'] = 'patient';

// login as a doctor
$_SESSION['role'] = 'doctor';

// login as an admin
$_SESSION['role'] = 'admin';

Then, in the session check code, you can verify if the user has the correct role before allowing them access to the doctor or admin panel. Here's an example code:

if(!isset($_SESSION['role']) || $_SESSION['role'] !== 'doctor' || $_SESSION['role'] !== 'admin') {
 header('location:logout.php');
} else{
//login function
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment