phpgurukul Online Banquet Booking System Session Fixation Vulnerability Allowing Session Hijacking

A session fixation vulnerability has been identified in phpGurukul Online Banquet Booking System version 1.2. The issue resides in the 'My Account - Change Password' component, specifically within the '/obbs/change-password.php' file. This vulnerability arises from improper management of session data, which can be exploited remotely, leading to session hijacking.

Impact

Exploitation of this vulnerability allows for unauthorized access to a user's session, potentially leading to session hijacking. This could result in exposure of sensitive data, unauthorized actions being performed on behalf of the user, and could have regulatory or legal consequences.

Reproduction

To reproduce this vulnerability, navigate to the '/obbs/change-password.php' page in the user panel. Observe that the session management does not properly regenerate or validate session IDs. An attacker can manually set or predict a session ID using tools like Burp Suite or browser developer tools, effectively fixing their session. When a victim logs in, the application accepts the fixed session ID, granting the attacker unauthorized access to the victim's session.