Catalyst Authentication Session Fixation Vulnerability

A session fixation vulnerability exists in Catalyst::Plugin::Authentication for Perl, specifically in versions prior to 0.10_027. The issue arises because the plugin does not automatically change the session ID after a user is authenticated. This lack of session ID rotation allows an attacker who has obtained a session ID cookie to impersonate the victim.

Impact

Exploitation of this vulnerability allows for session fixation attacks, where an attacker can impersonate a user by reusing a session ID that was not properly rotated after authentication.

Reproduction

To reproduce this vulnerability, use Catalyst::Plugin::Authentication versions prior to 0.10_027, along with Catalyst::Plugin::Session. After logging in a user, the session ID remains the same, allowing an attacker to use a previously obtained session ID to impersonate the user.

Remediation

Users can update to Catalyst::Plugin::Authentication version 0.10_027 or later, where the session fixation vulnerability has been addressed by introducing a setting that rotates the session ID after authentication.