Jump to content

As an Ethical Hacker Bug Found in your site


Julien Lux

Recommended Posts

Hello,

So I received a suspicious message for one of my website (Prestashop 1.6.1.4). It sounds like an hoax but I can't find anybody with the same message on google..
What do you think about it ?

Hi,  As an Ethical Hacker
Bug Found in your site :   https://xxxxxx.com/   
Bug Type: Session Management[Session invalidation ]
Description of the issue- The server does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- Login in to Your Account using firefox. Now login to the same  account using google chrome. Lets assume website user's account is compromised so he wants to change his password, he will navigate to forgot password page or simply password change page and will change his password in the chrome browser. Web user is able to change his password and the session from which the password changes is logged out but it was observed that still the previous session in firefox is not invalidated and i was actually able to browse the website from both the sessions. Impact- If the web user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Remediation- Invalidate the previous session once the password has been changed and enforce the web user to relogin in the website. Waiting for your response......!!!!!!!!!!!!!!!!!!!!!!!!!!
Regards Ethical Hacker          

Thank you
 

Edited by Julien Lux
prestashop version added (see edit history)
  • Like 1
Link to comment
Share on other sites

  • 8 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...