WS-2021-0111

Overview

In `dapps`, version 1.3.0 is vulnerable to `Insufficient Session Expiration` vulnerability, since the application session management functionality work in a manner where it fails to invalidate a session (in another browser instance Ex: Firefox) even after the password is changed (in one browser Ex: Chrome instance). This flaw allows a user to be logged and perform functions; wherein the current user session must be invalidated immediately after changing the user password.

Details

The `dapps` module can be abused by `Insufficient Session Expiration` vulnerability, since the application session management functionality work in a manner where it fails to invalidate a session (in another browser instance Ex: Firefox) even after the password is changed (in one browser Ex: Chrome instance). This flaw allows a user to be logged and perform functions; wherein the current user session must be invalidated immediately after changing the user password. It is recommended that the session must have to be expire when the user update his password from the Application.

PoC Details

Login to the `dapps` application in two browser instances (Ex: Firefox and Chrome), through http://localhost:8000/html/v1/login. After login, change the password in one browser (Chrome) instance: click on the `setup` option in the right top corner then click on `change password` option. Enter the old password, then provide a new password and confirmation password, and click on the `modify` button. After clicking on the `modify` button, we will get a success alert for the password modification. But if we observe in another browser (Firefox) instance the session is successfully running with the old password (without invalidating the session) though the password has been changed, and the user is able to perform some actions with the old password session.

Affected Environments

1.3.0

Prevention

No fix