FreshRSS Session Management Vulnerability Allowing Session Hijacking and Fixation

A session management vulnerability has been identified in FreshRSS, an open-source RSS aggregator, in versions through 1.26.3. The issue arises because the application does not properly terminate user sessions upon logout. After logging out, the session cookie remains active and unchanged, allowing an attacker to reuse it if a new session is initiated. This flaw can lead to session hijacking and fixation vulnerabilities.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can reuse the session cookie to access authenticated endpoints. It also poses a session fixation risk by reusing the same session ID across different login sessions.

Reproduction

To reproduce this vulnerability, log into FreshRSS and observe the session cookie. After logging out, the session cookie remains unchanged, indicating that the session has not been properly terminated. This unchanged cookie can then be reused to access authenticated endpoints after logging in again.

Remediation

Users can upgrade to FreshRSS version 1.27.0, which addresses this vulnerability by properly regenerating the session ID after logout and ensuring that only one cookie is sent.