Login Sign Up

CVE-2017-12965

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This session fixation vulnerability in Apache2Triad 1.5.4 allows attackers to hijack user sessions by setting the PHPSESSID parameter. Attackers can impersonate legitimate users and gain unauthorized access to web applications. This affects all Apache2Triad 1.5.4 installations with default configurations.

💻 Affected Systems

Products:
  • Apache2Triad
Versions: 1.5.4
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Apache2Triad is a Windows-based server stack that includes Apache, PHP, MySQL and other components. The vulnerability exists in the PHP session handling.

📦 What is this software?

Apache2triad by Apache2triad

View all CVEs affecting Apache2triad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to data theft, privilege escalation, and full system compromise through authenticated actions.

🟠

Likely Case

Unauthorized access to user accounts, session hijacking, and potential data exposure.

🟢

If Mitigated

Limited impact with proper session management controls and monitoring in place.

🌐 Internet-Facing: HIGH - Web servers are directly accessible and vulnerable to remote exploitation.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch exists. Upgrade to a different, maintained server stack as Apache2Triad is outdated and no longer supported.

🔧 Temporary Workarounds

Implement session regeneration

all

Regenerate session IDs after user authentication to prevent fixation attacks

session_regenerate_id(true); // In PHP after successful login

Secure session cookie settings

all

Configure PHP to use secure session cookie parameters

session.cookie_httponly = 1
session.cookie_secure = 1
session.use_only_cookies = 1

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block session fixation attempts
  • Migrate to a modern, supported server stack like XAMPP, WAMP, or individual component installations

🔍 How to Verify

Check if Vulnerable:

Check if running Apache2Triad version 1.5.4 and test if session IDs persist after authentication without regeneration.

Check Version:

Check Apache2Triad installation directory or control panel for version information.

Verify Fix Applied:

Verify session IDs change after successful login and cannot be set via URL parameters.

📡 Detection & Monitoring

Log Indicators:

  • Multiple session creations from same IP
  • Session IDs in URL parameters
  • Failed authentication attempts followed by successful login with same session ID

Network Indicators:

  • PHPSESSID parameter in URLs
  • Session fixation attempts in HTTP requests

SIEM Query:

web.url:*PHPSESSID* OR web.uri:*PHPSESSID*

📊 Metadata

CVE ID: CVE-2017-12965
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-384
Published: August 23, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-12965, you might also want to check these:

CVE-2024-11317 10.0

CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products ...

Same vulnerability type (CWE-384)
CVE-2024-38513 10.0

This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, ...

Same vulnerability type (CWE-384)
CVE-2021-20151 10.0

This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based sessio...

Same vulnerability type (CWE-384)