A Session Fixation issue was discovered in Bigtree 4.2.23 and earlier. The PHP session id has not been generated after loggin. File core/inc/bigtree/admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
- Vendor website: https://www.bigtreecms.org/about/
- Source code: https://github.com/bigtreecms/BigTree-CMS
Session Fixation
Bigtree CMS
Bigtree CMS - 4.2.23 and earlier
Remote
An attacker may generate new session with the application and force user to use this session by cross-site scripting attack or other vector. Moreover, the attacker may try to steal a user session ID. When the attacker can obtain same session ID with the target user the attacker may gain access to the application after the user has logged in to the application. This could lead to session hijacking attack.
Fixed version has been released. The fixed version is 4.2.24
https://github.com/bigtreecms/BigTree-CMS/commit/c69402c4764ed9a76301c57277aefe70141b6418 https://github.com/bigtreecms/BigTree-CMS/compare/4.2.x#diff-04c6e90faac2675aa89e2176d2eec7d8
Best regards, Juttikhun Khamchaiyaphum
true
- Juttikhun Khamchaiyaphum