CVE-2021-31745: Pluck 4.7.15 - Session Fixation Vulnerability · Issue #99 · pluck-cms/pluck

Issue Summary
A session-fixation vulnerability exists within Pluck’s administrative login system which can be abused to retain a valid login session even after an administrator has changed their password.

Detailed Description
It is possible to arbitrarily set the session ID of Pluck’s “PHPSESSID” cookie. This cookie is used for maintaining administrative login sessions. This can be used in a session-fixation attack, for example, to sustain unauthorized access to the CMS after already gaining it through a primary vulnerability. Furthermore, Pluck does not expire sessions in a timely manner nor are sessions bound in any other way. This also allows an easier brute force attack, as it is possible to brute-force session IDs without rate-limits imposed by the normal login process.

Reproduction Steps

1. From Google Chrome, open the developer tools menu, navigate to: Application > Storage -> Cookies -> <PLUCK_DOMAIN>

2. Change the value of the “PHPSESSID” cookkie to an arbitrary value, such as "wolf".

3. Login to the pluck administrative panel, by visiting <PLUCK_DOMAIN>/login.php and login to the panel.

4. On a new browser, repeat steps 1 and 2.

5. On step 3, you will be given access without being prompted for administrative credentials.

Impact
After any primary exploit has occurred, the session fixation attack can be used in order to sustained unauthorized access. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.