Catalyst::Plugin::Session Insecure Session ID Generation Vulnerability

A vulnerability exists in Catalyst::Plugin::Session versions prior to 0.44 for Perl, where session IDs are generated insecurely. The session ID is created from a low-entropy mix of a counter, epoch time, a non-cryptographic random value, the process ID, and the current Catalyst context. This predictable generation method could allow an attacker to guess session IDs and gain unauthorized access.

Impact

The vulnerability could lead to session fixation attacks, allowing an attacker to hijack a user's session by predicting and inserting a valid session ID into the user's browser.

Reproduction

The vulnerability can be reproduced by using Catalyst::Plugin::Session in a Perl application. The insecure session ID generation can be observed by examining the default session ID creation method, which hashes predictable data using outdated digest algorithms. This behavior can be verified by checking the session IDs assigned during a user's session, which will reflect the predictable nature of the generation process.

Remediation

Users can update to Catalyst::Plugin::Session version 0.44 or later, where the session ID generation has been improved to use Crypt::SysRandom, a module that provides access to high-quality random data from the system's entropy source.