Dancer::Session::Abstract Insecure Session ID Generation Vulnerability

A vulnerability exists in Dancer::Session::Abstract versions through 1.3522 for Perl, where session IDs are generated insecurely. The session ID is created by summing the character code points of the absolute pathname, process ID, epoch time, and calls to the built-in rand() function, which returns a number between 0 and 999 billion. This concatenated result is repeated three times. The pathname could be known or guessed by an attacker, particularly in applications using Dancer with standard installation locations. The epoch time may be estimated and could be leaked in the HTTP header. Process IDs are drawn from a small set of numbers and can be sequential. The rand() function is seeded with 32 bits, making it unsuitable for security purposes. The predictability of session IDs could allow an attacker to gain unauthorized access to systems.

Impact

The vulnerability leads to the generation of predictable session IDs, which could be exploited by an attacker to hijack user sessions and gain unauthorized access to systems.

Reproduction

To reproduce this vulnerability, create a Dancer application that uses the default session management. Deploy the application and observe the session IDs generated. The IDs can be predicted based on the installation pathname, the process ID, the current epoch time, and the output of the rand() function, which can be controlled. This predictability allows for session ID guessing and potential session hijacking.

Remediation

Users can upgrade to Dancer::Session::Abstract versions later than 1.3522, where this vulnerability has been addressed.