Creativeitem Academy LMS Session Fixation Vulnerability

A session fixation vulnerability exists in Creativeitem Academy LMS versions through 5.13. The issue arises because the application does not regenerate session IDs after successful authentication. This flaw allows attackers to hijack user sessions by setting a predetermined session ID, which can be used to access the victim's authenticated session and perform actions on their behalf.

Impact

Exploitation of this vulnerability allows attackers to hijack user sessions, gaining access to authenticated accounts and the ability to perform actions as the user. This includes accessing sensitive data and administrative functions.

Reproduction

To reproduce this vulnerability, first obtain a session ID by visiting the login page. This session ID can be extracted from the Set-Cookie header. Once the session ID is obtained, it can be used to create a link that includes the fixed session ID, which can be sent to the victim. Alternatively, the session ID can be injected via cross-site scripting, if such a vulnerability exists. When the victim logs in with the fixed session ID, the session ID remains unchanged, allowing the attacker to access the victim's account.

Remediation

To address this vulnerability, session regeneration should be implemented after successful authentication. This can be done by using the session_regenerate_id function to generate a new session ID and delete the old one. Additionally, CodeIgniter-specific session management practices can be applied, such as using the framework's session library to handle regeneration and secure session configurations.