Code-Projects Hospital Management System Session Fixation Vulnerability

A session fixation vulnerability has been identified in Code-Projects Hospital Management System version 1.0. The issue arises from the use of the express-session component, which employs a hardcoded secret key in the session management function. This weak secret is used to sign session cookies, and its predictability allows attackers to forge cookies, potentially bypassing authentication and impersonating users. The vulnerability could lead to unauthorized access to sensitive patient information and administrative functions.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts and sensitive patient data, as well as a full compromise of administrative functions and system data integrity.

Reproduction

The vulnerability can be reproduced by using the Hospital Management System application with version 1.0. The issue occurs because the express-session middleware is configured with a hardcoded secret value of 'secret', which is easily guessable. This can be seen in the application code where the session is initialized with the weak secret, saveUninitialized set to true, and resave set to true. An attacker can exploit this by crafting a session cookie that includes the forged session ID, using the hardcoded secret to sign it. This cookie can then be used to authenticate as any user.

Remediation

To address this vulnerability, the hardcoded secret should be replaced with a long, random, and unpredictable string. It is recommended to store the secret in an environment variable, such as process.env.SESSION_SECRET. Additionally, secure cookie attributes should be enabled, including httpOnly, secure, and sameSite.