Givanz Vvveb CMS Session Fixation Vulnerability

A critical session fixation vulnerability has been identified in Givanz Vvveb CMS version 1.0.6.1. This vulnerability allows attackers to hijack user sessions by exploiting the application's failure to regenerate session IDs after login. As a result, an attacker can reuse a legitimate session ID or introduce a custom one to gain unauthorized access to a user's account. This issue affects both regular users and administrators, with the potential for complete account takeover, especially in the case of admin accounts.

Impact

Exploitation of this vulnerability leads to unauthorized session hijacking, allowing attackers to gain full access to the accounts of the affected users. In the case of an administrator, this includes complete control over the CMS, with the ability to modify or delete content, manage users, and potentially introduce malicious elements into the website.

Reproduction

To reproduce this vulnerability, set a custom PHPSESSID cookie in the victim's browser before they log in. Once the login is successful, the application will not regenerate the session ID, allowing the attacker to hijack the session using the pre-set cookie.

Remediation

Users are advised to upgrade to Givanz Vvveb version 1.0.7, which addresses this vulnerability by ensuring that session IDs are properly regenerated after login. The updated version is available on the Givanz Vvveb GitHub releases page.