Session Fixation in BigTree CMS 4.2.23 and earlier (CVE-2018-18380)
Description
A Session Fixation issue was discovered in Bigtree 4.2.23 and earlier. The PHP session id has not been generated after loggin. File core/inc/bigtree/admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
Additional Information
- Vendor website: https://www.bigtreecms.org/about/
- Source code: https://github.com/bigtreecms/BigTree-CMS
VulnerabilityType - Other
Session Fixation
Vendor of Product
Bigtree CMS
Affected Product Code Base
Bigtree CMS - 4.2.23 and earlier
Attack Type
Remote
CVE Impact Other
An attacker may generate new session with the application and force user to use this session by cross-site scripting attack or other vector. Moreover, the attacker may try to steal a user session ID. When the attacker can obtain same session ID with the target user the attacker may gain access to the application after the user has logged in to the application. This could lead to session hijacking attack.
Remediation
Fixed version has been released. The fixed version is 4.2.24
Reference
https://github.com/bigtreecms/BigTree-CMS/commit/c69402c4764ed9a76301c57277aefe70141b6418 https://github.com/bigtreecms/BigTree-CMS/compare/4.2.x#diff-04c6e90faac2675aa89e2176d2eec7d8
Best regards, Juttikhun Khamchaiyaphum
Has vendor confirmed or acknowledged the vulnerability?
true
Discoverer
- Juttikhun Khamchaiyaphum