Session Fixation in alovoa/alovoa

Valid

Reported on

Sep 16th 2021

Description

On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active.

Proof of Concept

STEPS TO REPRODUCE:

Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while logging in.
From Browser B login to your account and change password Notice that Session on Browser Awill remain active and does not expire.

Impact

The session doesn't expire even after the victim changes the password. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised.

Occurrences

PasswordController.java L1-L37

References

https://hackerone.com/reports/1069392

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago

Nho Quy Dinh validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Nho Quy Dinh marked this as fixed with commit 05cc2b 2 years ago

Nho Quy Dinh has been awarded the fix bounty

This vulnerability will not receive a CVE

PasswordController.java#L1-L37 has been validated

to join this conversation

We have contacted a member of the alovoa team and are waiting to hear back 2 years ago

Nho Quy Dinh validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Nho Quy Dinh marked this as fixed with commit 05cc2b 2 years ago

Nho Quy Dinh has been awarded the fix bounty

This vulnerability will not receive a CVE

PasswordController.java#L1-L37 has been validated

to join this conversation