blueprintUE Password Change and Reset Vulnerability Allowing Session Hijacking

A vulnerability in blueprintUE prior to version 4.2.0 allows for session hijacking after a password change or reset. The application does not invalidate existing authenticated sessions when a user updates their password, leaving accounts vulnerable to unauthorized access. This issue arises because the password change and reset processes only update the password in the users table, without disrupting active sessions. Consequently, an attacker who has compromised a session can maintain access indefinitely, even after the user has changed their password, until the session naturally expires.

Impact

Exploitation of this vulnerability allows an attacker to retain access to a user's account even after the password has been changed, creating a persistent account takeover situation.

Reproduction

To reproduce this vulnerability, log in as a user and copy the session cookie to another browser. While logged in, change the password through the profile edit page. After the password is changed, the session in the second browser will still have full access, demonstrating that the session was not invalidated.

Remediation

Users should be advised to invalidate all sessions after a password change or reset. This can be done by adding a method to delete user sessions in the UserService, and calling this method after updating the password or resetting it.