SourceCodester Prison Management System Session Fixation Vulnerability

A session fixation vulnerability has been identified in SourceCodester Prison Management System version 1.0, specifically within the Login component. This vulnerability allows remote attackers to hijack administrator sessions by exploiting the application's failure to regenerate the session ID after a successful login. As a result, attackers can use a pre-obtained session token to gain unauthorized access to administrative privileges.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can gain full administrative access by reusing a fixed session ID. This access bypasses normal authentication processes, leading to unauthorized control over the application.

Reproduction

The vulnerability can be reproduced by first obtaining a fixed session ID from an unauthenticated session. This can be done by accessing the login page and capturing the PHPSESSID cookie. Once the fixed session ID is acquired, an attacker can induce an administrator to log in using that session ID, thereby hijacking the session and gaining administrative rights.