:D On 07/11/12 15:56, Benji wrote: > I have no words, just shock. > > On Wed, Jul 11, 2012 at 9:34 AM, Gokhan Muharremoglu > <[email protected]> wrote: >> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability >> Type: Improper Session Handling >> Impact: Session Hijacking >> Level: Medium >> Date: 10.07.2012 >> Vendor: Vendor-neutral >> Issuer: Gokhan Muharremoglu >> E-mail: [email protected] >> >> >> VULNERABILITY >> If a web application starts a session and defines a session id before a user >> authenticated, this session id must be changed after a successful >> authentication. If web application uses the same session id before and after >> authentication, any legitimate user who has gained the "before >> authentication" session id can hijack future "after authentication" sessions >> too. >> >> >> Vulnerable Login Page & Session ID before Authentication >> (Status-Line) HTTP/1.1 200 OK >> Server Apache/2.2.3 (CentOS) >> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >> Expires Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma no-cache >> Content-Type text/html >> Content-Length 308 >> Date Tue, 10 Jul 2012 06:16:57 GMT >> X-Varnish 1922993981 >> Age 0 >> Via 1.1 varnish >> Connection keep-alive >> >> >> Vulnerable Login Page & Authentication Request >> (Request-Line) POST /iosec_login_vulnerable.php HTTP/1.1 >> Host www.iosec.org >> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25) >> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E) >> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3 >> Accept-Encoding gzip,deflate >> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7 >> Keep-Alive 115 >> Connection keep-alive >> Referer http://www.iosec.org/iosec_login_vulnerable.php >> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2 >> Content-Type application/x-www-form-urlencoded >> Content-Length 42 >> POST DATA >> user gokhan >> pass muharremoglu >> submit Login >> >> >> Vulnerable Login Page & Session ID after Authentication >> (Status-Line) HTTP/1.1 200 OK >> Server Apache/2.2.3 (CentOS) >> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/ >> Expires Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma no-cache >> Content-Type text/html >> Content-Length 308 >> Date Tue, 10 Jul 2012 06:16:57 GMT >> X-Varnish 1922993981 >> Age 0 >> Via 1.1 varnish >> Connection keep-alive >> >> >> MITIGATION >> To avoid this vulnerability, sessions must be regenerated after a successful >> login. In a session fixation attack, attacker fixates (sets) another >> person's (victim's) session identifier because of "never regenerated and >> validated" session id and this vulnerability can also lead to the Session >> Fixation attack. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
-- Name: Levon 'noptrix' Kayan E-Mail: [email protected] GPG key: 0x014652c0 Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 Homepage: http://www.nullsecurity.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
