Mailcow Session Fixation Vulnerability in Web Panel

A session fixation vulnerability has been identified in the Mailcow web panel, affecting versions through 2024-11b. This vulnerability allows remote attackers to set a session identifier when HTTP Strict Transport Security (HSTS) is disabled in the victim's browser. The issue arises because the login page does not invalidate existing session identifiers; instead, it accepts and validates any session identifier stored in the browser. After a user logs in, the session identifier becomes valid, allowing the attacker to access the victim's web panel using the same identifier.

Impact

Exploitation of this vulnerability allows an attacker to hijack a user's session, gaining unauthorized access to the user's web panel with the same privileges as the authenticated user.

Reproduction

To reproduce this vulnerability, navigate to the Mailcow login page in a browser with HSTS disabled. Before logging in, set the 'PHPSESSID' cookie to a random string. Submit the login form with your username and password. The application will accept the random session identifier, validating it and allowing access to the web panel with that session.

Remediation

Users can update to Mailcow version 2025-01 or later, where this vulnerability has been patched.