<< Previous Next >>
session hijacking
Details:
========
Multiple persistent input validation vulnerabilities are detected in Astaro Command Center v2.x.
The bugs allows an local privileged attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires user inter action & minimum restricted access to the panel.
Vulnerable Module(s):
[+] Configuration - Networks Definition
[+] Deploy Function
Hash: SHA1
CVE-2007-3382: Handling of cookies containing a ' character
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in the car portal v3.0 web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Post a new vehicle - PWRS & Description field
[+] Create News - News title
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing user input into the “What Are You Working On?” or Micro Blog entry field. Also, the application fails to encode the output allowing for the execution of the script.
Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution 5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem
Impact: Any user who can view another user’s Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim’s host.
Fixed in: Fixed in the final shipping version of Novell Vibe OnPrem 3
Remediation guidelines: Update to the final shipping version of Novell Vibe OnPrem 3
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on the osCmax v2.5.1 shop web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Register Form - Input Fields & Login Username Display
========
A persistent Cross-Site Scripting vulnerability has been detected on C4B XPhone UC Web v4.1.890SR1 and versions below.
The bug allows an attacker to inject arbitrary script code on the application side (persistent) via for example
a connected groupware application like Microsoft Outlook or IBM Lotus Notes. The injected script code is
executed on every client who is searching for details of the manipulated user on the web application. Successful
exploitation of the vulnerability can therefor lead to session hijacking or stable (persistent) context manipulation.
Vulnerable Module(s):
[+] Work => Home/Work => Company Name (Input)
[+] Contact Phone Listing => Company Name Display Conversation (Output)
1.2
A non-persistent cross site scripting vulnerability is detected on appRain CMF v0.1.5. The vulnerability allows remote
attackers to hijack skype customer sessions via cross site scripting. Successful exploitation of the client-side vulnerability
can result in session hijacking & account steal (user/customer/moderator/administrator).
Vulnerable Module(s):
[+] Search (Cross Site Scripting)
(/surgemail) allows remote attackers to inject arbitrary web script or HTML.
Input passed to the "username_ex" parameter is not properly sanitised before
being returned to the user, therefore enabling the execution of arbitrary
script code in a user's browser session, which can lead to cookie theft and
session hijacking.
The vulnerability is confirmed to exist in version 4.3e (latest version at
the date of vulnerability discovery). Previous versions may also be vulnerable.
Exploit
Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
Details:
========
Multiple persistant input validation vulnerabilities are detected on on Onxshops Content Management System v1.5.0.
The bug allows remote attacker to implement malicious script code on the application side (persistent).
Successful exploitation of the vulnerability allows an attacker to manipulate modules/context (persistent) & can
lead to session hijacking (user/mod/admin).
Vulnerable Module(s):
[+] Pages - Title
[+] Search - Keywords & Inputs
drupal: Session hijacking vulnerability, CVE-2008-3661
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3661
http://int21.de/cve/CVE-2008-3661-drupal.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
menalto gallery: Session hijacking vulnerability, CVE-2008-3662
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3662
http://int21.de/cve/CVE-2008-3662-gallery.html
http://gallery.menalto.com/gallery_2.2.6_released
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
through 4.1.36 does not properly handle (1) double quote (") characters
or (2) \%5C (encoded backslash) sequences in a cookie value, which
might cause sensitive information such as session IDs to be leaked
to remote attackers and enable session hijacking attacks. NOTE:
this issue exists because of an incomplete fix for CVE-2007-3385
(CVE-2007-5333).
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
1.2
Multiple persistent vulnerabilities are detected on the Wolfs Content Management System v0.7.5.
The bug allows an remote attacker or local low privileged user account to inject persistent malicious
script code on application side. Successful exploitation can result in persistent context manipulation
on requests, session hijacking & account steal via application side phishing.
Vulnerable Module(s):
[+] /plugins/comment/
Joomla: Session hijacking vulnerability, CVE-2008-4122
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122
http://int21.de/cve/CVE-2008-4122-joomla.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
Introduction:
=============
The SonicWall NSA 4500 web admin interface offers the option of customize some web pages directly from the admin interface. For this, the web interface has some forms where the admin can put the code and test it via a preview feature. This preview feature will show the page and execute all the javascript code inside it in the web admin security context, wich leads to many traditional attacks, like XSS, session hijacking...
Report-Timeline:
================
III. DESCRIPTION
-------------------------
Websense (Triton 7.6) is prone to reflective XSS in the report management UI enabling capture of authentication session tokens.
This allows an attacker to gain access to the reporting UI (by session hijacking) or run arbitrary javasript in the context of the administrators browser and the Websense administrative UI.
IV. PROOF OF CONCEPT
-------------------------
Affected URL:
#2009-004 AjaxTerm session id collision
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
var sid=""+Math.round(Math.random()*1000000000);
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
phpBB 2.0.23 Session Hijacking Vulnerability +
found by NBBN 13 Mar 2008 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
::Information about this vulnerabilty
If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid
is sending with GET:
Brief Description: Collaboration relies on distributed systems that
provide the required security properties. Virtual organizations often
use the Internet to support collaboration. The Internet, operating
systems and distributed environments currently suffer from poor
security support and cannot resist common attacks (spamming, worms,
session hijacking, buffer overflow, denial of service, social
engineering, etc.). Collaborative organizations require better
security properties (strong authentication, efficient encryption,
Mandatory Access Control, integrity, non-repudiation and
availability). Nowadays, collaborative organizations use new
technologies such as mobile devices, smartcards, wireless networks,
Hash: SHA1
CVE-2007-3385: Handling of \" in cookies
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
menalto gallery: Session hijacking vulnerability, CVE-2008-3102
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3102
http://int21.de/cve/CVE-2008-3102-mantis.html
http://www.mantisbt.org/bugs/view.php?id=9524
http://www.mantisbt.org/bugs/view.php?id=9533
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Advisory Title: Lotus Notes Memory Mapped Files Vulnerability
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com
Release Date: 23-10-2007
Application: Lotus Notes / Domino
Platform: Microsoft Windows
Severity: Session hijacking in shared user environments
/ Data leakage in shared user environments
Vendor status: Updated Application Versions Available
CVE Number: CVE-2007-5544
Reference: http://www.securityfocus.com/bid/26146
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
Synopsis
========
Multiple vulnerabilities have been found in Asterisk allowing for SQL
injection, session hijacking and unauthorized usage.
Background
==========
Asterisk is an open source telephony engine and tool kit.
1.2
Multiple persistent input validation vulnerability are detected in the DHTMLX v.3.0 Professional|Standard Edition.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action.
Vulnerable Module(s):
[+] Register Form - Input Fields & Login Username Display
Details:
========
Multiple persistent Input Validation Vulnerabilities are detected on the Astaros Security Gateway application(appliance).
The vulnerability allows a local low privileged user account or remote attacker with medium required user inter action to manipulate
module contexts on application-side. Result of successful exploitation is session hijacking, phishing & stable context manipulation
or client side target exploitation out of the gateway web application context.
Vulnerable Module(s):
Details:
========
Multiple persistent input validation vulnerabilities are detected in Astaro Command Center v2.x.
The bugs allows an local privileged attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires user inter action & minimum restricted access to the panel.
Vulnerable Module(s):
[+] Configuration - Networks Definition
[+] Deploy Function
<<Previous Next>>
|
