Next Page >>
session id
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
Without active protection against session fixation, the attack can be mounted against any web site using sessions to identify authenticated users. Web sites using session IDs are normally cookie-based, but URLs and hidden form-fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
tracking services picked this up via the Citrix advisory)...
-- Corsaire Security Advisory --
Title: Citrix Access Gateway session ID disclosure issue
Date: 05.09.06
Application: Citrix Advanced Access Control 4.0
Citrix Advanced Access Control 4.2
Citrix Access Gateway 4.5 Advanced Edition
Citrix Access Gateway 4.5 Standard Edition
# Cookie prefix
$this->get_cprefix();
}
# Admin session ?
$this->msg('Trying to find an admin session id', 0);
# Got one :]
if( $this->get_admin_sess() )
{
$this->s_admin = true;
PHPKIT 1.6.4 PL1 2 XSRF Vulnerabilites founded by NBBN
###################################################################
Vendor: http://www.phpkit.de/
PHPKIT sends in all link in the forum the sessionid via GET. So if an attacker
send a link to a victim, for example in a private message, he have the
sessionid if he filter the Referer:
*******************************************************************************************
<?php
The protocol MSNP15 Windows Live Messenger Client 8.5.1 transmit to the
information on the IP address public and private. Everything happens
during a conversation that starts with you in our contacts list.
By analyzing the conversation with Wireshark can be noted that in
addition to passing the information, such as the sessionid, the Cal, the
Ringing, and also pass Ipv4ExternalAddrsAndPorts
Ipv4InternalAddrsAndPorts. Ipv4ExternalAddrsAndPorts indicates the
public IP address with its front door, Ipv4InternaladdrsAndPorts
indicates the private IP address and port logic of our interlocutor.
This happens because the server fails to properly manage the various NAT
Application: RunCMS
Versions Affected: RunCMS 1.6
Vendor URL: http://www.runcms.org
Bugs: SQL Injections, XSS, PHP Include, Predictable session id, etc.
Exploits: Aviable
Reported: 14.12.2007
Vendor response: 15.12.2007
Date of Public Advisory: 25.12.2007
Authors: Alexandr Polyakov, Stas Svistunovich
>
>
> > To tell you the truth,
> > the original motivation was just that it's not a
> > good idea to have a valid authentication token
> > (the file retrievel session ID) embedded in a URL.
>
> Sure, it can show up in logs, referer, etc. If
> you don't mind JavaScript, it's easy enough to
> use JavaScript to submit a POST.
>
Host: localhost\r\n
X-Forwarded-For: 127.0.0.1\r\n
Connection: keep-alive\r\n\r\n
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
3. session fixation:
---------------------
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.
3.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
3.2 PoC:
============
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "seid" parameter in events modules is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from members and retrieve admin session id.
Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~~
2. session fixation:
---------------------
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.
2.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
2.2 PoC:
============
1. Cookie_Manipulation:
---------------------
The cookie variable "PHPSESSID" parameter can be set to a malicious and arbitrary value.
1.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Workaround:
************************
* Session fixation (CVE-2010-3892)
The login form of the administrator interface is vulnerable to session fixation
attacks. And attacker can use a prepared website or a XSS vulnerability (CVE-2010-3890)
to change session ID (SID) of the login form. The SID have to be generated by the
server. An attacker can visit the login interface and take the generated value and use
this for the attack. After a valid authentication of the victim with the attacker SID,
the attacker can do any action in the context of the administrator.
3. session fixation:
---------------------
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.
3.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Solution
=============
2. session fixation:
---------------------
The "PHPSESSID" parameter can be set to a malicious and arbitrary value.
3.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
3.2 PoC:
============
1. Cookie_Manipulation:
---------------------
The cookie variable "PHPSESSID" parameter can be set to a malicious and arbitrary value.
1.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Workaround:
************************
1. Cookie_Manipulation:
---------------------
The cookie variable "PHPSESSID" parameter can be set to a malicious and arbitrary value.
1.1 Description:
In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server.
After a user's session ID has been fixed, the attacker will wait for them to login.
Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Workaround:
************************
Accept: text/xml,application/xml,application/xhtml+xml
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"
And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
%2527 OR 1=%2522%2527%2522 UNION ...
OR 1=%2522%2527%2522 #
Now we're apt to get each value stored in the database.
We can try to get a valid session_id, we can also
bruteforce the hash (combined with the salt) in order
to get a password. We don't need specific PHP
configuration, and we can do that with guest rights.
can inject arbitrary mouse movements and press mouse buttons.
Depending on the operating system and setup this may be used to
compromise computers attached to the kvm switch.
Severity: Medium
CVE-2009-1474: Session ID Cookie not secure-only
When the user connects to the device via http on port 80, the device
redirects the user to the same device on port 443 (https). There the
user logs in and gets a session id cookie. However, this cookie does
not contain the secure option as specified in rfc2109. When the user
goes back to http for any reason, an attacker can sniff the session
Found another vector of injection in /private/system/lib-session.php near lines 97-117:
...
if (isset ($_COOKIE[$_CONF['cookie_session']])) {
$sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog("got $sessid as the session id from lib-sessions.php",1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.
This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
ID as URL parameter. Requests without session ID are redirected to
the login page. Therefore only phishing-type attacks or attacks
against user's browser are possible.
Successful exploitation requires that attacker can lure or force
the user to follow the malicious link.
stolen laptop. If the browser displayed the file
and the user takes no precautions, the file should
be in the browser's cache. To tell you the truth,
the original motivation was just that it's not a
good idea to have a valid authentication token
(the file retrievel session ID) embedded in a URL.
The stolen laptop scenario was an afterthought.
(There is also a more exotic scenario: the
attacker reads the authentication token from the
user's computer display, as it is shown in the
address box of the browser. These days, with a
Details.
The web application uses cookie parameters passed via HTTP
requests to identify which user is logged in. Authentication
routines can be bypassed by simply appending the below POC
string to a cookie which already contains a valid ASP.NET
session ID. The value given to the various cookie parameters
indicates the specific user ID for the application user the
attacker wishes to impersonate.
Proof of Concept.
To exploit this vulnerability, simply browse to the software
Unsafe session handling
------------------------------------------------------------------------
FWS uses its own session handler instead of the default one provided
with PHP. There are many pitfalls when dealing with sessions. It is
generally not advised to create your own session handler. Common errors
made when doing so are the creation of predictable session identifiers
or the possibility of replay of session information.
The session handlers uses two different cookies, one for logged in users
named fws_cust and one for guest users that is named fws_guest. FWS
will first check if the fws_cust cookie has been set by the browser. If
looking for candidates for a web authentication system and it seems
fairly obvious from looking at the source:
In line 516 of the CPAN version
[http://search.cpan.org/~dcastro/Apache-AuthCAS-0.4/lib/Apache/AuthCAS.pm],
the session ID is extracted from the cookie as
$cookie =~ /.*$SESSION_COOKIE_NAME=([^;]+)(\s*;.*|\s*$)/;
$sid = $1 || "";
then it is passed to get_session_data() iin line 544 without sanitizing
OXID eShop EE is a widespread and popular CMS for online shops.
The current release (4.2.0) has been found vulnerable to a session fixation and a XSS attack.
- Session Fixation
Passing the parameter sid via URL allows an attacker fixate the session ID to a given value.
By fooling legitimate users to follow the attacker provided URL with the fixated session ID, the attacker would be able to overtake the users session.
Example: http://vulnerable.system.com/index.php?sid=12345
- XSS
#2009-004 AjaxTerm session id collision
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
Packetninjas L.L.C
www.packetninjas.net
-= Security Advisory =-
Advisory: Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date: unknown
Last Modified: 09/27/2010
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]
Application: Zeacom Chat Application <= 5.0 SP4
Next Page>>
|
