starred/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager.git synced 2026-04-26 19:05:54 +03:00
Code Issues 253 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1099] Session Fixation in all versions of FileManager #706

New issue
Open
opened 2026-03-02 16:00:55 +03:00 by kerem · 2 comments
kerem commented 2026-03-02 16:00:55 +03:00
Owner
Copy link

Originally created by @whitej3rry on GitHub (Oct 15, 2023).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1099

Hi @prasathmani,

Hope you are doing good. I have discovered Session Fixation Vulnerability in all versions including the latest. Following are the steps to reproduce:

  1. Login to filemanager Step 2: Intercept the response and change the cookie to any 26 character string "ThisIsDefinatelyIncorectId" or "aaaaaabbbbbbddddddeeeeeerr" Step 3: Forward the response to browser
  2. Logout from the filemanager
  3. Session ID you provided is still valid
sf

Hope the issue will be resolved in next release.

Thanks and Regards,
Dani

Originally created by @whitej3rry on GitHub (Oct 15, 2023). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/1099 Hi @prasathmani, Hope you are doing good. I have discovered **Session Fixation Vulnerability** in all versions including the latest. Following are the steps to reproduce: 1. Login to filemanager Step 2: Intercept the response and change the cookie to any 26 character string "ThisIsDefinatelyIncorectId" or "aaaaaabbbbbbddddddeeeeeerr" Step 3: Forward the response to browser 2. Logout from the filemanager 3. Session ID you provided is still valid <img width="971" alt="sf" src="https://github.com/prasathmani/tinyfilemanager/assets/60222364/1a1478ef-8740-47b8-9591-15627e7cea59"> Hope the issue will be resolved in next release. Thanks and Regards, Dani
kerem commented 2026-03-02 16:00:56 +03:00
Author
Owner
Copy link

@whitej3rry commented on GitHub (Dec 13, 2023):

Hi @prasathmani,
Hope you are doing good. Do you have plans to fix this in upcoming release?

<!-- gh-comment-id:1853932996 --> @whitej3rry commented on GitHub (Dec 13, 2023): Hi @prasathmani, Hope you are doing good. Do you have plans to fix this in upcoming release?
kerem commented 2026-03-02 16:00:56 +03:00
Author
Owner
Copy link

@prasathmani commented on GitHub (Dec 14, 2023):

@whitej3rry , Thank you for reporting. Will fix it for the future release.

<!-- gh-comment-id:1855050484 --> @prasathmani commented on GitHub (Dec 14, 2023): @whitej3rry , Thank you for reporting. Will fix it for the future release.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
prasathmani-patch-1
offline
add-license-1
2.6
2.5.3
2.5.0
2.4.7
2.4.3
2.4.1
2.4.0
2.3.8
2.3.4
2.3
2.2.0
2.0.2
2.0.1
Labels
Clear labels   
Feature

   
Feature

   
Is It Really an Issue?

   
Need More Info

   
Request

   
Security

   
bug

   
duplicate

   
enhancement

   
enhancement

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
suggestion

   
wontfix
No labels
Feature
Feature
Is It Really an Issue?
Need More Info
Request
Security
bug
duplicate
enhancement
enhancement
help wanted
invalid
pull-request
question
suggestion
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/tinyfilemanager#706
No description provided.