PHPGurukul User Registration and Login Session Hijacking Vulnerability Allowing Account Takeover

A critical session fixation vulnerability has been identified in PHPGurukul User Registration & Login and User Management System version 3.3. The issue resides in the Change Password component of the user panel, specifically within the '/loginsystem/change-password.php' file. The vulnerability arises from improper handling of session data, which allows for remote session hijacking attacks, leading to unauthorized account access and actions such as password changes.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can gain unauthorized access to a victim's account by hijacking their session.

Reproduction

To reproduce this vulnerability, manually set or predict a session ID and send it to the victim. Once the victim logs in using the fixed session ID, the attacker can access the victim's account and change the password.