<< Previous Next >>
session id
stolen laptop. If the browser displayed the file
and the user takes no precautions, the file should
be in the browser's cache. To tell you the truth,
the original motivation was just that it's not a
good idea to have a valid authentication token
(the file retrievel session ID) embedded in a URL.
The stolen laptop scenario was an afterthought.
(There is also a more exotic scenario: the
attacker reads the authentication token from the
user's computer display, as it is shown in the
address box of the browser. These days, with a
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
user.authenticate method of the Zabbix API with a 'user' paramter as we
can tell from rpc/class.czbxrpc.php file:
// Authentication {{{
if(($resource == 'user') && ($action == 'authenticate')){
$sessionid = null;
$options = array(
'users' => $params['user'],
'extendoutput' => 1,
'get_access' => 1
Exception number: c0000094 (divide by zero)
*----> System Information <----*
Computer Name: --
User Name: --
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 4
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
| | average number of 1s, which greatly reduces the number |
| | of guesses an attacker would have to make to |
| | successfully predict the manager ID, which is used |
| | across multiple HTTP queries to hold manager state. |
| | |
| | "The issue is the generation of session ids in the |
| | AsteriskGUI HTTP server. |
| | |
| | When using Glibc, the implementation and state of rand() |
| | and random() is |
| | |
packet has the following structure (from yassl_imp.hpp):
class ClientHello : public HandShakeBase {
ProtocolVersion client_version_;
Random random_;
uint8 id_len_; // session id length
opaque session_id_[ID_LEN];
uint16 suite_len_; // cipher suite length
opaque cipher_suites_[MAX_SUITE_SZ];
uint8 comp_len_; // compression length
CompressionMethod compression_methods_;
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
3. VULNERABILITY DESCRIPTION
The web-based management interface of 2Wire Broadband router does not
generate truely unique random session IDs for a logged-in
administrator user.
This allows attackers to brute-force guess a valid session ID to
compromise the administrator session.
For more information about this kind of weekness,
refer to CWE-330: Use of Insufficiently Random Values and CWE-331:
Proof of Concept
================
The following shell script can be used to construct a valid search
request as mentioned above. It expects a valid session ID and
corresponding username as commandline arguments, followed by arguments
that are inserted into the <order_by> and <sql> elements of the POST
request.
----- sql_inject.sh ----------------------------------------------------
3.3 to 3.3.2
Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root.
- - Weak session IDs on the web interface
Session IDs are timestamps of when the user logged-in and are trivial to
forge. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
II.Xss/Cross Site Scripting
Input passed via the "adult" parameter in index.php when option set to com_hbssearch & task set to showhoteldetails is not properly sanitised before being used
This can be exploited to insert arbitrary HTML or javascript in a user's browser.an attacker can use this vulnerability to stole cookies or sessionid from users
in context of an affected site.
PoC/Exploit :
~~~~~~~~~~
http://www.example.com/index.php?option=com_hbssearch&task=showhoteldetails&id=118&adult=2<script>alert(document.cookie);</script>&child=0&r_type=1&chkin=2009-09-15&chkout=2009-09-16&datedif=1&str_day=Tue&end_day=Wed&start_day=Tue&star=
An attacker can later perform any actions the administrator can, such as
dumping the database, install modules (PHP code execution) and so on.
CubeCart is using a MySQL table named CubeCart_admin_users for storing
information about administrative users.
When an administrator logs in, the applications stores his session ID,
browser (user agent) and IP address in the sessId, browser and sessIP
fields.
> SELECT adminId, username, sessId, browser, sessIp FROM
CubeCart_admin_users C;
1, 'admin', '9a58f70e7ded1bcb568b02815a1c4a56', 'Mozilla/5.0 (Windows;
3.3 to 3.3.2
Description:
Tomcat incorrectly handles the character sequence \" in a cookie
value. In some circumstances this can lead to the leaking of
information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
sequences may lead to disclosure of memory contents.
CVE-2007-5899
It was discovered that the output_add_rewrite_var() function could
leak session ID information, resulting in information disclosure.
This update also fixes two bugs from in the PHP 5.2.4 release which
don't have security impact according to the Debian PHP security policy
(CVE-2007-4657 and CVE-2007-4662), but which are fixed nonetheless.
Command Injection:
------------------
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is
"pref -l /var/system/upgrade/status" Replace this part with the command to be executed.
Authentication to the web application is not necessary however a valid PHP session ID
must be passed within the request.
References:
-----------
Proof of Concept
================
The following RSS feed contains JavaScript code in the <title> and
<description> elements that displays a message containing the user's
session ID. This code gets executed when users click on the item to view
it:
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
>= 3.0.2-r1
Description
===========
CherryPy does not sanitize the session id, provided as a cookie value,
in the FileSession._get_file_path() function before using it as part of
the file name.
Impact
======
Several remote vulnerabilities have been discovered in Moodle, a
course management system. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2010-1613
Moodle does not enable the "Regenerate session id during
login" setting by default, which makes it easier for remote
attackers to conduct session fixation attacks.
CVE-2010-1614
Multiple cross-site scripting (XSS) vulnerabilities allow
Note that '2C6B33BED38F825C48AE73C093241510' is a static value
which represents a filename of a gwt rpc descriptor which can be found inside the default path:
C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\ROOT\contents\2C6B33BED38F825C48AE73C093241510.gwt.rpc
Note also that this packet does not contain any session id.
Response packet:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
::Information about this vulnerabilty
If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid
is sending with GET:
http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session]
The admin/moderator are going to be redirected to the thread(with the
2008 R2 is not affected
** hosted products are VMware Workstation, Player, ACE, Fusion.
b. vCenter Server SOAP ID disclosure
The SOAP session ID can be retrieved by any user that is logged in
to vCenter Server. This might allow a local unprivileged user on
vCenter Server to elevate his or her privileges.
VMware would like to thank Claudio Criscione for reporting this
issue to us.
Several remote vulnerabilities have been discovered in Moodle, a
course management system. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2010-1613
Moodle does not enable the "Regenerate session id during
login" setting by default, which makes it easier for remote
attackers to conduct session fixation attacks.
CVE-2010-1614
Multiple cross-site scripting (XSS) vulnerabilities allow
Additionally, the following properties suffer from Unicode overflows:
serverAddress
sessionId
clientIPLower
clientIPHigher
userName
domainName
dnsSuffix
Firstly, if a user logs in as "SYSTEM" the USERID column only shows "SYSTE"
- only 5 characters. The second problem is that if the same user then
attempts to log in a user "FOO", "FOOTE" is logged in the USERID column -
the "TE" coming from the "TE" of "SYSTE[M]" - the previous login. This only
happens on the same connected TCP circuit; as such all audit entries have
the same SESSIONID.
Fix Information
***************
Oracle was alerted to this flaw on the 9th of March 2006. A patch has now
been made available:
When handling 'update' action, 'default_comment_display' is the only parameter that isn't sanitized with
mysql_real_escape_string(), this can be exploited to inject arbitrary SQL code. Because of this is a multiple
lines query and latest version of MySQL doesn't allow to start comment with /* no followed by a */, sometimes
It's impossible to alter the 'users' table content for e.g. changing the admin's password, but is still
possible to inject a subquery to fetch for e.g. the session id of admin for a Session Hijacking attack.
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
records that refer to the login session record.)
It remains to solve the
back-arrow/history/bookmark problem. Here is what
I propose for that: if the file retrieval session
ID does not map to a file retrieval session
record, the application redirects the browser to
the standard user file URL. If the user is logged
in, the redirected request will come in with the
user-file authentication cookie, and the
application will create a file retrieval session
Solution:
The problem can be mitigated by
Managing the CAPTCHA value at the application server instead of the
client side __VIEWSTATE variable by tying it to the Session ID.
A 10 or 15 minute timeout if implemented improves the security as well.
The image cache on the server side must also be expired as soon as it
is rendered to the browser.
Product: Citrix NetScaler
http://www.citrix.com/lang/English/ps2/index.asp
Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.
Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.
sequences may lead to disclosure of memory contents.
CVE-2007-5899
It was discovered that the output_add_rewrite_var() function could
leak session ID information, resulting in information disclosure.
This update also fixes two bugs from in the PHP 5.2.4 release which
don't have security impact according to the Debian PHP security policy
(CVE-2007-4657 and CVE-2007-4662), but which are fixed nonetheless.
<<Previous Next>>
|
