PHPGurukul Hostel Management System Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in PHPGurukul Hostel Management System version 2.1. The issue arises in the user panel's Change Password component, specifically within the /hostel/change-password.php file. The vulnerability is due to improper handling of session data, which can be exploited remotely.

Impact

The vulnerability allows for session hijacking, where an attacker can gain unauthorized access to a user's account by exploiting the session management flaw. This could lead to unauthorized actions being performed on behalf of the user, such as changing passwords or accessing sensitive data.

Reproduction

To reproduce this vulnerability, navigate to the Change Password component in the user panel. Observe the session handling mechanism, then inject a known session ID by setting a predictable or captured session token in the browser before the victim logs in. Once the victim authenticates with the injected session ID, the attacker can gain unauthorized access to the victim's account and perform actions like changing the password.