session cookie
two implementations of the Apache Axis2 Web services engine - Apache
Axis2/Java and Apache Axis2/C.
We have found a Session Fixation Vulnerability [2][3] in Apache Axis2.
When successfully exploited, this vulnerability allows to fixate a
Session Cookie in the browser of the victim, this way it's possible to
perform session hijacking attacks.
The chances of achieving success increases when the application is
vulnerable to Cross Site Scripting or HTTP Header Injection.
core/utility_api.php (CVE-2008-4687).
* Privileges of viewers are not sufficiently checked before composing
a link with issue data in the source anchor (CVE-2008-4688).
* Mantis does not unset the session cookie during logout
(CVE-2008-4689).
* Mantis does not set the secure flag for the session cookie in an
HTTPS session (CVE-2008-3102).
When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.
Joomla 1.5.8 does not set that flag. I've contacted the Joomla security team
in advance but got no reply.
Problem Description:
A vulnerability has been identified and corrected in squirrelmail:
Squirrelmail 1.4.15 does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in
http requests and make it easier for remote attackers to capture this
cookie (CVE-2008-3663).
Additionally many of the bundled plugins has been upgraded. The
localization has also been upgraded. Basically this is a syncronization
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones [2] when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.
gallery versions before 2.2.6 did not set this flag.
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing user input into the “What Are You Working On?” or Micro Blog entry field. Also, the application fails to encode the output allowing for the execution of the script.
Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution 5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem
Impact: Any user who can view another user’s Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim’s host.
Fixed in: Fixed in the final shipping version of Novell Vibe OnPrem 3
Remediation guidelines: Update to the final shipping version of Novell Vibe OnPrem 3
When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.
The drupal CMS is vulnerable to this issue. They don't consider this as a
drupal issue and have not published a fix yet.
When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.
Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but
current 1.4.15 is vulnerable.
* Digital Security Research Group reported a directory traversal
vulnerability in contrib/phpBB2/modules.php in Gallery 1, when
register_globals is enabled (CVE-2008-3600).
* Hanno Boeck reported that Gallery 1 and 2 did not set the secure
flag for the session cookie in an HTTPS session (CVE-2008-3662).
* Alex Ustinov reported that Gallery 1 and 2 does not properly handle
ZIP archives containing symbolic links (CVE-2008-4129).
* The vendor reported a Cross-Site Scripting vulnerability in Gallery
Release mode: Coordinated release
Discovered by: Daniel King, SecureWorks
Summary
McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.
Affected Products
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration).
It is unknown which other versions, if any, are affected as of November 11, 2009.
and Exposures project identifies the following problems:
CVE-2007-3799
The session_start function allows remote attackers to insert
arbitrary attributes into the session cookie via special characters
in a cookie that is obtained from various parameters.
CVE-2007-3806
A denial of service was possible through a malicious script abusing
all the necessary changes.
Details follow:
Loc Minier discovered that xvfb-run did not correctly keep the
X.org session cookie private. A local attacker could gain access
to any local sessions started by xvfb-run. Ubuntu 9.10 was not
affected. (CVE-2009-1573)
It was discovered that the X.org server did not correctly handle
certain calculations. A remote attacker could exploit this to
Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.
The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php
If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
turn set the cookie depending on the variables passed in a URL or other
cached content, and two users browsed the page content in relatively
short periods of time, the session cookie issued would be identical.
Meaning the second person to browse facebook would be logged in as the
first person who had already authenticated themselves.
Maybe someone can check if the mobile operator had recently implemented
something like this?
When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.
The mantis bugtracker does not set that flag. The mantis team has fixed this
issue, but not released a new version yet.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
arbitrary web script or HTML via a filename associated with a file
upload (CVE-2011-0697).
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and
1.2.x before 1.2.5 on Windows might allow remote attackers to read or
execute files via a / (slash) character in a key in a session cookie,
related to session replays (CVE-2011-0698).
The updated packages have been upgraded to the 1.1.4 version which
is not vulnerable to these issues.
_______________________________________________________________________
|
