[CVE-2019-12203] Session fixation in "change password" form

A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
This commit is contained in:
Serge Latyntcev 2019-09-16 16:29:42 +12:00 committed by Aaron Carlino
parent 1f92b21a04
commit eccfa9b10d
3 changed files with 14 additions and 1 deletions

View File

@ -217,7 +217,6 @@ class Session
*/ */
public function init(HTTPRequest $request) public function init(HTTPRequest $request)
{ {
if (!$this->isStarted() && $this->requestContainsSessionId($request)) { if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
$this->start($request); $this->start($request);
} }
@ -634,4 +633,16 @@ class Session
} }
} }
} }
/**
* Regenerate session id
*
* @internal This is for internal use only. Isn't a part of public API.
*/
public function regenerateSessionId()
{
if (!headers_sent()) {
session_regenerate_id(true);
}
}
} }

View File

@ -158,6 +158,7 @@ class ChangePasswordHandler extends RequestHandler
Injector::inst()->get(IdentityStore::class)->logOut(); Injector::inst()->get(IdentityStore::class)->logOut();
} }
$this->getRequest()->getSession()->regenerateSessionId();
// Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm. // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm.
$this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token)); $this->getRequest()->getSession()->set('AutoLoginHash', $member->encryptWithUserSettings($token));
} }

View File

@ -98,6 +98,7 @@ class SessionAuthenticationHandler implements AuthenticationHandler
$file = ''; $file = '';
$line = ''; $line = '';
// TODO: deprecate and use Session::regenerateSessionId
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
// There's nothing we can do about this, because it's an operating system function! // There's nothing we can do about this, because it's an operating system function!
if (!headers_sent($file, $line)) { if (!headers_sent($file, $line)) {