Executive Summary

CVE-2026-2177 is a critical session fixation vulnerability found in SourceCodester Prison Management System version 1.0, specifically in the Login component.

The vulnerability occurs because the system assigns a session identifier (PHPSESSID) to unauthenticated users accessing the login page but fails to regenerate this session ID after successful administrator login.

This flaw allows an attacker to pre-obtain a valid session ID, trick an administrator into logging in with that session ID, and then hijack the authenticated session by reusing the same session ID.

As a result, the attacker can gain full administrative access without needing to authenticate themselves.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to hijack authenticated sessions by fixing a session ID before login and then reusing it after the administrator logs in.

The attacker gains full administrative access to the system, severely compromising its confidentiality, integrity, and availability.

Because the exploit can be performed remotely without authentication and an easy-to-use proof-of-concept is publicly available, the risk of exploitation is high.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring session management behavior during the login process, specifically checking if the PHP session ID (PHPSESSID) is regenerated after successful authentication.'}, {'type': 'paragraph', 'content': 'One way to detect the vulnerability is to capture HTTP requests and responses to the /Admin/login.php page and verify if the session ID remains the same before and after login.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to perform login requests and observe the Set-Cookie headers for PHPSESSID.'}, {'type': 'list_item', 'content': 'Example command to capture cookies before login: curl -c cookies.txt http://target/Admin/login.php'}, {'type': 'list_item', 'content': 'Example command to perform login using saved cookies and check if session ID changes: curl -b cookies.txt -c cookies.txt -d "username=admin&password=adminpass" http://target/Admin/login.php -v'}, {'type': 'paragraph', 'content': 'If the PHPSESSID remains unchanged after login, it indicates the presence of the session fixation vulnerability.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to ensure that the session ID is regenerated upon successful authentication to prevent session fixation.'}, {'type': 'paragraph', 'content': "Specifically, the application should call session_regenerate_id(true) in PHP right after verifying the administrator's credentials and before setting any session variables."}, {'type': 'paragraph', 'content': 'If modifying the application is not possible immediately, consider replacing the affected product with an alternative solution as no known countermeasures or patches are currently available.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to the login page and consider implementing multi-factor authentication to reduce the risk of session hijacking.'}] [1, 2]

Useful 0 Not Useful 0