PHPGurukul Bank Locker Management System Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in PHPGurukul Bank Locker Management System version 1. The issue arises from improper session invalidation in the Change Password component, located at '/blms/banker/change-password.php'. This flaw allows attackers to intercept and misuse session tokens, gaining unauthorized access to user accounts.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can gain unauthorized access to a user's account and perform actions on their behalf, such as changing the account password.

Reproduction

To reproduce this vulnerability, navigate to the Change Password component in the user panel. Observe the session handling process, then inject a known session ID by setting a predictable or captured session token in the browser before the victim logs in. Once the victim authenticates with the same session ID, the attacker can access the victim's account and change the password.