Key Systems Global Facilities Management Software Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in Key Systems Inc Global Facilities Management Software version 20230721a. The issue arises because session identifiers are transmitted via the URL query parameter 'sid' instead of being securely managed through HTTP cookies. This exposure allows remote attackers to capture session tokens from browser history, server logs, Referer headers, or network traffic, and use them to impersonate authenticated users, gaining unauthorized access to the application and their privileges.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can gain unauthorized access to an application by replaying a valid session identifier.

Reproduction

To reproduce this vulnerability, first verify that the Global Facilities Management Software version is 20230721a. After authentication, observe that the application does not use session cookies. Instead, a session identifier is included as a query parameter in the URL. This 'sid' parameter can then be replayed in a GET request using another browser to hijack the session of an authenticated user.

Remediation

It is recommended to remove session identifiers from URLs and use secure cookies instead. Additionally, sessions should be invalidated upon logout, implemented with short lifetimes, and rotated on authentication. Enforcing strict session termination controls and additional session binding measures can further mitigate the risk of session hijacking.