Ado::Sessions Insecure Session ID Generation Vulnerability

A vulnerability exists in Ado::Sessions versions through 0.935 for Perl, where session IDs are generated in an insecure manner. The session ID creation process uses a SHA-1 hash that is seeded with the built-in rand function, the epoch time, and the process ID (PID). This method is problematic because the PID is drawn from a limited range of values, and the epoch time can be predicted unless it is disclosed in the HTTP Date header. The use of the rand function, which is not suitable for cryptographic purposes, leads to predictable session IDs. Such predictability could allow an attacker to hijack sessions and gain unauthorized access to systems.

Impact

The vulnerability allows for session hijacking, where an attacker could predict and steal session IDs to gain unauthorized access to a user's session.

Remediation

Users are advised to switch to a maintained alternative that generates session IDs using a secure random number generator. Recommendations for secure random data generation in Perl include using the Crypt::URandom, Crypt::SysRandom, or Sys::GetRandom modules.