Monday, June 25, 2018

[CVE-2018-1000519] Session Fixation on aiohttp-session prior to 2.4.0

tl;dr If you are using a version of aiohttp-session prior to 2.4.0 update!

 On Apr 30 2018 a session fixation vulnerability was discovered in aiohttp-session which was caused by improper session (in)validation. A detailed description of the vulnerability, steps to reproduce and Proof of Concept code can be found at aiohttp-session#272.

The gist of it is that when invalidating a session, the value of the session was set to equal `{}`. However, when validating a session (i.e. loading it) a session was considered valid if its value was `!= None`.

This could allow a malicious actor to acquire a session, invalidate it, inject the cookie to a victim's browser (before the victim authenticates) and then control the victims session after the victim authenticates (by knowing the session cookie's value).

On May 4 2018 the vulnerability was patched (with aiohttp-session#273) and aiohttp-session v2.4.0 was released.

On May 12 2018 aiohttp-session's API (and documentation) was expanded to allow explicit acquisition of new session (to be used on login functions) to safeguard from user-code oriented Session Fixation vulnerabilities.

Finally on Jun 22 2018 this vulnerability was assigned CVE-2018-1000519.

No comments:

Post a Comment