Re: What happened with the session fixation bug?

2005-06-05 Thread Michael Cordover 


James A. Donald wrote:
| Adversary accesses web site as if about to log in, gets
| a session ID.  Then supplies false information to
| someone else's browser, causes that browser on some one
| else's computer to use that session ID.  Someone else
| logs in with hacker's session ID, and now the adversary
| is logged in.

An excellent plan and the reason sessions shouldn't be automatically
given to every user of a site.  In my experience though, sessions aren't
created until the login button is pressed - the malicious user needs
an existing account.  This might then become a permissions escalation
problem - emphasis on the might.

Question: how does one convince the victim's browser to use the
malicious ID?  And if one can modify cookies on the browser for a remote
site (what needs to be done in most cases), doesn't this raise much more
serious questions about XSS?  I think this is probably a low-impact
issue unless sessions are used improperly.  Then again, given some web
apps I've seen, might be high impact :/.

Regards,

Michael Cordover

--
http://mine.mjec.net/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: What happened with the session fixation bug?

2005-06-05 Thread James A. Donald 
--
James A. Donald wrote:
  Adversary accesses web site as if about to log in, 
  gets a session ID.  Then supplies false information 
  to someone else's browser, causes that browser on 
  some one else's computer to use that session ID. 
  Someone else logs in with hacker's session ID, and 
  now the adversary is logged in.

Michael Cordover
 Question: how does one convince the victim's browser 
 to use the malicious ID?

Assuming we can intercept and modify cleartext, no 
problem.  There are also several other ways that do not 
require such man in the middle attack,

For example, the adversary might represent himself as 
selling some item for egold.  The victim clicks on the 
egold link on the adversary's web page, but it is a 
session fixation link which looks something like this.

a 
href=http://e-gold/index.php?PHPSESSID=64383-34324-9874 
37

As a result, when the victim logs in to egold, logs in 
to the genuine e-gold. not a phishing site, he logs the 
adversary in. Adversary then drains all of user's 
account.  (Assuming that e-gold is vulnerable to session 
fixation.) 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 /xB6pMv9fT1fIGlyhzRyAjdO+X1POcedv7maASR+
 4rXw3i2fw8a6eXIV31Rc11GLSM+BsAqwdlNX3AVVO


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]