Psi Probe Denial-of-Service Vulnerability via Session Expiration Endpoint

A denial-of-service vulnerability has been identified in Psi Probe versions through 5.3.0. The issue arises in the Session Handler component, specifically within the ExpireSessionsController.java file, in the handleRequestInternal function. This vulnerability allows authenticated users with the 'probeuser' role to terminate multiple user sessions simultaneously through the '/app/expire_list.htm' endpoint. The application processes these bulk session expiration requests without validating session ownership, enabling low-privileged users to log out multiple users across different web applications with a single request.

Impact

Exploitation of this vulnerability can lead to widespread denial-of-service, forcing multiple users to re-authenticate and potentially overwhelming authentication systems. Additionally, it can disrupt critical administrative operations by logging out entire teams simultaneously.

Reproduction

To reproduce this vulnerability, authenticate to Psi Probe with 'probeuser' credentials. Then, send a bulk expiration request to the '/app/expire_list.htm' endpoint, specifying multiple session IDs in the 'sid_webapp' parameter. The application will terminate all specified sessions immediately, regardless of ownership.

Remediation

It is recommended to implement ownership validation and access controls in the ExpireSessionsController. Additionally, adding security constraints in the web.xml file to restrict bulk operations to users with administrative privileges could help mitigate this vulnerability.