Next Page >>
session
====================================================================================
Team Intell Security Advisory TISA2007-04
------------------------------------------------------------------------------------
Mambo 4.6.2 CMS - Session fixation Issue in backend Administration interface
====================================================================================
Release date: 01.08.2007
Severity: Moderately critical
Remote-Exploit: yes
====================================================================================
Team Intell Security Advisory TISA2007-03
------------------------------------------------------------------------------------
Joomla 1.0.12 CMS - Session fixation Issue in backend Administration interface
====================================================================================
Release date: 10.08.2007
Severity: Moderately critical
Remote-Exploit: yes
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
else
$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user's session datas while
# we bruteforce SQL fields.
$this->bypass_matches();
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
the application service provider uses a dedicated
RegisteredDomain for the particular application.
>being able to sandbox each document+viewer combo is great. I think you
>should do some usability testing with your suggestion that the file
>retrieval session record be deleted when the document is accessed,
> though.
>This is very likely to cause problems with user agents like Internet
> Explorer
>that have aggressive anti-caching stances for https content, and I
> imagine
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: TLS Protocol Session Renegotiation Security Vulnerability
Aruba Advisory ID: AID-020810
Revision: 1.0
For Public Release on 02/08/2010
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
Essentially the paper details a way in which the attacker can manipulate the
environment to trick an Oracle database into using arbitrary SQL in DATE
functions and data.
A number of people at the time dismissed it as irrelevant because the
attacker required the ALTER SESSIOn privilege. Well, as it turns out, you
don't need the ALTER SESSION privilege at all. Here's why: there are certain
ALTER SESSION statements that can be executed even though the user doesn't
have the ALTER SESSION privilege. The statements that can be executed
without the privilege include those that relate to National Language
Support. Thus a user without ALTER SESSION privileges can change the date
Product: IBM OmniFind Enterprise Edition
Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/
Vulnerabilities:
- Cross-Site-Scripting (XSS)
- Cross-Site-Request-Forgery (XSRF)
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
Application: Rittal CMC-TC PU II Web management
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
announce other SASL mechanisms, as shown in the previous section.
Technical details
=================
The Postfix SMTP server creates a SASL handle for each SMTP session,
when SASL authentication is enabled. The Postfix SMTP server will
use this SASL handle until it closes the SMTP connection (the Postfix
SMTP server may create a new server SASL handle when the client and
server agree to switch from a plaintext session to a TLS-encrypted
session, but this does not eliminate the memory corruption problem).
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Adobe Audition vulnerability processing malformed session file
1. *Advisory Information*
>
>
> > To tell you the truth,
> > the original motivation was just that it's not a
> > good idea to have a valid authentication token
> > (the file retrievel session ID) embedded in a URL.
>
> Sure, it can show up in logs, referer, etc. If
> you don't mind JavaScript, it's easy enough to
> use JavaScript to submit a POST.
>
[MajorSecurity Advisory #53]BLUEPAGE CMS - Cross Site Scripting and Session Fixation Issues
Details
=======
Product: BLUEPAGE CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.bluepage-cms.com/
Vendor-Status: informed
Advisory-Status: published
[MajorSecurity Advisory #54]xt:Commerce - Cross Site Scripting and Session Fixation Issues
Details
=======
Product: xt:Commerce
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.xtcommerce-shop.com/
Vendor-Status: informed
Advisory-Status: published
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
PUBLIC
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
PUBLIC
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AppSecInc Team SHATTER Security Advisory
Oracle Enterprise Manager vulnerable to Session fixation.
Risk Level:
Low
Affected versions:
[HACKATTACK Advisory #3]Social Impress CMS 1.1 - Session Fixation
Details
************************
Product: Impress CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.impresscms.info
Vendor-Status: informed
Advisory-Status: not yet published
[HACKATTACK Advisory 20081203]Pro Clan Manager 0.4.2 - Session Fixation
Details
************************
Product: Pro Clan Manager CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.proclanmanager.com/
Vendor-Status: informed
Advisory-Status: not yet published
[HACKATTACK Advisory 25012009]ConPresso CMS 4.07 - Session Fixation, XFS, XSS
Details
************************
Product: ConPresso CMS 4.07
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.conpresso.de/
Vendor-Status: informed
Advisory-Status: not yet published
Application: Bytehoard
Versions: 2.1 (alpha to epsilon)
Release Date: 2007-11-26
Author: Ernesto Alvarez / Activesec SA
Kudos to: Rodrigo Seguel / Activesec SA for suggesting the session
destruction approach
Contact info: ealvarez at activesec biz
Developer response: None. No response to mail, forum inactive and
bugtracker operating intermitently.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SecureWorks Security Advisory SWRX-2009-002
McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory Information
Title: McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory ID: SWRX-2009-002
#2009-004 AjaxTerm session id collision
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
tracking services picked this up via the Citrix advisory)...
-- Corsaire Security Advisory --
Title: Citrix Access Gateway session ID disclosure issue
Date: 05.09.06
Application: Citrix Advanced Access Control 4.0
Citrix Advanced Access Control 4.2
Citrix Access Gateway 4.5 Advanced Edition
Citrix Access Gateway 4.5 Standard Edition
handling logic, other implementations may also be vulnerable.
CVE-2010-1324
MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API
krb5 mechanism.
MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newer
KDCs blocks the attack.
Next Page>>
|
