Back to list
Symphony CMS v2.6.7 Session Fixation
Jun 20 2016 04:23AM
hyp3rlinx lycos com
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION
[+] ISR: APPARITIONSEC
Symphony CMS v2.6.7
Symphony is a XSLT-powered open source content management system.
Symphony CMS is prone to "Session Fixation" allowing attackers to preset a users PHPSESSID "Session Identifier".
If the application is deployed using an insecure setup with PHP.INI "session.use_only_cookies" not enabled, attackers can then send
victims a link to the vulnerable application with the "PHPSESSID" already initialized as Symphony does not use or call
"session_regenerate_id()" upon successful user authentication.
Note: as per php.net/manual/en/session.configuration.php "session.use_only_cookies=1" is default since PHP 4.3.0.
As Symphonys Session ID is not regenerated it can result in arbitrary Session ID being 'Fixated' to a user, if that user authenticates using
this attacker supplied session fixated link, the attacker can now access the affected application from a different Computer/Browser
and have the same level of access to that of the victim. Default Cookie lifetime for Symphony CMS is up to two weeks.
Edit PHP.INI and change following settings to 'session.use_only_cookies=0' if applicable, as POC test.
1) Telnet localhost 80
2) make HTTP request with a prefixed PHPSESSID
GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1
3) Hit enter twice
HTTP/1.1 200 OK
Date: Mon, 16 May 2016 02:06:47 GMT
Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8
Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT; Max-Age=1209600; path=/symphony-2.6.7; httponly
Content-Type: text/html; charset=UTF-8
Vendor Notification: May 3, 2016
Vendor Release Fix: May 23, 2016
June 20, 2016 : Public Disclosure.
Request Method(s): [+] GET / POST
Vulnerable Product: [+] Symphony CMS 2.6.7
Vulnerable Parameter(s): [+] 'PHPSESSID'
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
[ reply ]
Copyright 2010, SecurityFocus