|
| 1 | +--- |
| 2 | +gem: pwpush |
| 3 | +cve: 2024-56733 |
| 4 | +ghsa: 4fwj-m62q-pp47 |
| 5 | +url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47 |
| 6 | +title: Password Pusher Allows Session Token Interception Leading |
| 7 | + to Potential Hijacking |
| 8 | +date: 2024-12-30 |
| 9 | +description: | |
| 10 | + ### Impact |
| 11 | +
|
| 12 | + A vulnerability has been reported in Password Pusher where an |
| 13 | + attacker can copy the session cookie before a user logs out, |
| 14 | + potentially allowing session hijacking. |
| 15 | +
|
| 16 | + Although the session token is replaced and invalidated upon logout, |
| 17 | + if an attacker manages to capture the session cookie before this |
| 18 | + process, they can use the token to gain unauthorized access to the |
| 19 | + user's session until the token expires or is manually cleared. |
| 20 | +
|
| 21 | + This vulnerability hinges on the attacker's ability to access the |
| 22 | + session cookie during an active session, either through a |
| 23 | + man-in-the-middle attack, by exploiting another vulnerability like |
| 24 | + XSS, or via direct access to the victim's device. |
| 25 | +
|
| 26 | + ### Patches |
| 27 | +
|
| 28 | + Although there is no direct resolution to this vulnerability, it is |
| 29 | + recommended to always use the latest version of Password Pusher to |
| 30 | + best mitigate risk. |
| 31 | +
|
| 32 | + ### Workarounds |
| 33 | +
|
| 34 | + If self-hosting, ensure Password Pusher is hosted exclusively over |
| 35 | + SSL connections to encrypt traffic and prevent session cookies from |
| 36 | + being intercepted in transit. Additionally, implement best practices |
| 37 | + in local security to safeguard user systems, browsers, and data |
| 38 | + against unauthorized access. |
| 39 | +
|
| 40 | + To further mitigate session hijacking risks, Password Pusher |
| 41 | + implements the following security measures: |
| 42 | +
|
| 43 | + 1. **Automatic Session Expiration**: Sessions are automatically |
| 44 | + expired after 2 hours of inactivity, reducing the window for |
| 45 | + potential exploitation. |
| 46 | +
|
| 47 | + 2. **Session Reset on Login and Logout**: Sessions are fully reset |
| 48 | + both when a user logs in and logs out, ensuring that session |
| 49 | + tokens are not reusable post-logout. This practice invalidates |
| 50 | + old session tokens and issues new ones, minimizing the risk of |
| 51 | + session hijacking. |
| 52 | +
|
| 53 | + 3. **Encrypted Cookies**: Cookies are encrypted using the value of |
| 54 | + SECRET_KEY_BASE from the application's configuration. This |
| 55 | + encryption adds a layer of protection against tampering or reading |
| 56 | + the session cookie's contents if intercepted, although it doesn't |
| 57 | + prevent the cookie from being used if stolen. |
| 58 | +
|
| 59 | + **Note**: While these measures significantly enhance security, they |
| 60 | + are part of a broader security strategy. |
| 61 | +
|
| 62 | + ### References |
| 63 | +
|
| 64 | + * https://edgeguides.rubyonrails.org/security.html#session-hijacking |
| 65 | +
|
| 66 | + ### Credits |
| 67 | +
|
| 68 | + Thank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) |
| 69 | + for reporting and working with me to bring this CVE to the community. |
| 70 | +
|
| 71 | +cvss_v3: 5.7 |
| 72 | +related: |
| 73 | + url: |
| 74 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-56733 |
| 75 | + - https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47 |
| 76 | + - https://github.com/advisories/GHSA-4fwj-m62q-pp47 |
0 commit comments