Session Invalidation in Economizzer Allows Unauthorized Access After Logout

[Ron E <ronaldjedgerson () gmail com>]

A session management vulnerability exists in gugoan's Economizzer
v.0.9-beta1. The application fails to properly invalidate user sessions
upon logout or other session termination events. As a result, a valid
session remains active and usable even after the user has attempted to log
out.



POST /web/category/create HTTP/2

Host: <host>

Cookie: _economizzerSessionId=<<REDACTED>>;
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/