Julien Lux Posted June 15, 2020 Share Posted June 15, 2020 (edited) Hello, So I received a suspicious message for one of my website (Prestashop 1.6.1.4). It sounds like an hoax but I can't find anybody with the same message on google.. What do you think about it ? Hi, As an Ethical Hacker Bug Found in your site : https://xxxxxx.com/ Bug Type: Session Management[Session invalidation ] Description of the issue- The server does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- Login in to Your Account using firefox. Now login to the same account using google chrome. Lets assume website user's account is compromised so he wants to change his password, he will navigate to forgot password page or simply password change page and will change his password in the chrome browser. Web user is able to change his password and the session from which the password changes is logged out but it was observed that still the previous session in firefox is not invalidated and i was actually able to browse the website from both the sessions. Impact- If the web user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Remediation- Invalidate the previous session once the password has been changed and enforce the web user to relogin in the website. Waiting for your response......!!!!!!!!!!!!!!!!!!!!!!!!!! Regards Ethical Hacker Thank you Edited June 15, 2020 by Julien Lux prestashop version added (see edit history) 1 Link to comment Share on other sites More sharing options...
joseantgv Posted June 15, 2020 Share Posted June 15, 2020 You can report this issue to [email protected] Link to comment Share on other sites More sharing options...
khanhkg Posted February 26, 2021 Share Posted February 26, 2021 Hi Julien, were you able to find a fix for this? I also received a similar email. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now