CVE-2020-35358
📋 TL;DR
CVE-2020-35358 is an insufficient session expiration vulnerability in DomainMOD v4.15.0 where user sessions remain active after password changes, allowing attackers to maintain unauthorized access. This affects all DomainMOD v4.15.0 users who change passwords while having active sessions. Attackers could access sensitive domain management data and functionality.
💻 Affected Systems
- DomainMOD
📦 What is this software?
Domainmod by Domainmod
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent access to domain management systems, allowing them to hijack domains, modify DNS records, steal sensitive domain data, or disrupt domain operations.
Likely Case
Unauthorized access to domain management interfaces leading to data theft, unauthorized domain modifications, or privilege escalation within the DomainMOD system.
If Mitigated
Limited impact with proper session management controls, but still potential for unauthorized access if attackers have captured session tokens.
🎯 Exploit Status
Exploitation requires obtaining a valid session token before password change, but once obtained, exploitation is trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.15.1 or later
Vendor Advisory: https://github.com/domainmod/domainmod/releases
Restart Required: No
Instructions:
1. Backup current DomainMOD installation and database. 2. Download latest version from GitHub. 3. Replace existing files with patched version. 4. Run database update scripts if provided. 5. Test functionality.
🔧 Temporary Workarounds
Manual Session Invalidation
linuxManually invalidate all active sessions after password changes by clearing session storage or restarting web server.
sudo systemctl restart apache2
sudo systemctl restart nginx
rm -rf /path/to/domainmod/sessions/*
Session Timeout Reduction
allReduce session timeout values to limit window of opportunity for attackers.
Edit DomainMOD configuration to set session.gc_maxlifetime to lower value (e.g., 1800 seconds)
🧯 If You Can't Patch
- Implement mandatory password change policies with forced logout of all other sessions
- Deploy web application firewall rules to detect and block suspicious session activity
🔍 How to Verify
Check if Vulnerable:
Test by logging into DomainMOD from two browsers, changing password in one browser, and verifying if other browser session remains active.Check Version:
Check DomainMOD version in admin interface or examine version.php fileVerify Fix Applied:
After patching, repeat the test - sessions in other browsers should be automatically invalidated upon password change.📡 Detection & Monitoring
Log Indicators:
- Multiple active sessions for same user after password change
- Session IDs remaining valid post-password-reset
- Unauthorized access attempts using old session tokens
Network Indicators:
- Unusual session persistence patterns
- Multiple concurrent sessions from different IPs for same user
SIEM Query:
source="domainmod.log" AND ("password changed" AND "session active") OR ("multiple sessions" AND same_user)