Session Fixation Affecting @directus/api package, versions <21.0.1 >=22.0.0 <22.2.0

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Session Fixation via the respond middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a redirect query string in the URL.

-Create a new Directus project

-Set CACHE_ENABLED to true

-Set CACHE_STORE to redis for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)

-Configure REDIS with redis string or redis host, port, user, etc.

-Set AUTH_PROVIDERS to openid

-Set PUBLIC_URL to the the main URL of your project. For example, PUBLIC_URL: http://localhost:8055

-Configure AUTH_OPENID_CLIENT_ID, AUTH_OPENID_CLIENT_SECRET, AUTH_OPENID_ISSUER_URL with proper OpenID configurations

-Be sure that on OpenID external app you have configured Redirect URI to http://localhost:8055/auth/login/openid/callback

-Run Directus

-Open the SSO link like http://localhost:8055/auth/login/openid/callback

-Do the authentication on the OpenID external webpage

-Verify that it you got redirected to a page with a JSON including access_token property

-Be sure all anonymous mode windows are closed

-Open an anonymous window and go to the SSO Link http://localhost:8055/auth/login/openid/callback and see you have the same credentials, even though you don't have any session because you are in anonymous mode.

• GitHub Commit
• GitHub Commit
• Vulnerable Code
• Vulnerable Code