session management
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]
Application: Zeacom Chat Application <= 5.0 SP4
Severity:
Usage of weak Weak Session management exists within the Zeacom web-chat application
enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session.
The Zeacom application handles new sessions through a 10 character string (JSESSIONID),
resulting in an effective 9 bit entropy level for session management. The end result of an
attack would enable an attacker to hijack a session where private information is revealed
within a chat session or a denial of service within the application server resulting in
Details:
Several vulnerabilities were identified from CMC-TC PU II web
interface. These include XSS Type I, XSS Type II, weak session
management and insecure default configuration.
XSS Type 1:
-----------
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
CVE Id(s) : not yet available
Debian Bug : 590719
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework: cross-site Scripting, open redirection,
SQL injection, broken authentication and session management,
insecure randomness, information disclosure and arbitrary code
execution. More details can be found in the Typo3 security advisory:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-012/
For the stable distribution (lenny), these problems have been fixed in
SECURITY IMPLICATIONS:
Low. "Skein" has written separately (not on bugtraq) that the danger
was "for who want to steal cookies." This speculation concerns sessions
in which cookies are involved. However, the AirKiosk system does not
rely on cookies for session management. The AirKiosk system does not
use cookies at all, and we discourage their use generally.
STATUS:
formlib.pl has been patched where applicable and possible code injection
>
>
> Abstract
> ========
> In this paper, we compare the security weaknesses and usability
> limitations of both cookie-based session management and HTTP digest
> authentication; demonstrating how digest authentication is clearly the
> more secure system in practice. We propose several small changes in
> browser behavior and HTTP standards that will make HTTP authentication
> schemes, such as digest authentication, a viable option in future
> application development.
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
assigned to URL Security Zones [2] when content from the corresponding
zone is loaded and rendered from a local file. These issues have been
CubeCart 4 Session Management Bypass
Release Date: 2009/10/29
Author: Bogdan Calin (bogdan [at] acunetix [dot] com)
Severity: Critical
Vendor Status: Vendor has released an updated version
I. Background
From Wikipedia: CubeCart is a free-to-use eCommerce software solution,
Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.
The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
2.4.1. Exploit:
Check the exploit/POC section.
2.6. Cross Site Scripting (XSS). Stored XSS attack in "/room.php" chat service.
2.5.1. Exploit:
Check the exploit/POC section.
2.7. Session Management Flaw. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
2.5.1. Exploit:
Check the exploit/POC section.
####################
3. Exploits/POCs:
####################
>> (and Google) LOVE cookies. So that is what it is and I really don't
>> see that changing until they can inject a tracking device into your
>> body.
>
> As the paper points out, these business drivers act against making
> cookie primitives more usable for session management.
>
> Thanks for taking the time to read it,
> tim
>
- SNMP read and SNMP *write* access enabled by default: not only we
demonstrate how to change settings but we also show how to obtain the
credentials for the Dynamic DNS service in cleartext
- Poor session management allows hijacking of admin sessions
- Authentication vulnerable to replay and password cracking attacks
- Disclosure of credentials: several types of credentials travel in the
clear when being submitted by the user, and also when being returned
2.4.1. Exploit:
Check the exploit/POC section.
2.6. Cross Site Scripting (XSS). Stored XSS attack in "/room.php" chat service.
2.5.1. Exploit:
Check the exploit/POC section.
2.7. Session Management Flaw. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
2.5.1. Exploit:
Check the exploit/POC section.
####################
3. Exploits/POCs:
####################
make the backend functionality unusable. This update corrects the
problem. For reference the original advisory below.
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework: cross-site Scripting, open redirection,
SQL injection, broken authentication and session management,
insecure randomness, information disclosure and arbitrary code
execution. More details can be found in the Typo3 security advisory:
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-012/
For the stable distribution (lenny), these problems have been fixed in
Workaround
==========
Disable the "FileSession" functionality by using "PostgresqlSession" or
"RamSession" session management in your CherryPy application.
Resolution
==========
All CherryPy 2.2 users should upgrade to the latest version:
2.4.1. Exploit:
Check the exploit/POC section.
2.6. Cross Site Scripting (XSS). Stored XSS attack in "/room.php" chat service.
2.5.1. Exploit:
Check the exploit/POC section.
2.7. Session Management Flaw. "/homepg/index.php" and "/homepg/login.php" are vulnerable to session fixation.
2.5.1. Exploit:
Check the exploit/POC section.
####################
3. Exploits/POCs:
####################
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example:
>>
>>
>> Abstract
>> ========
>> In this paper, we compare the security weaknesses and usability
>> limitations of both cookie-based session management and HTTP digest
>> authentication; demonstrating how digest authentication is clearly the
>> more secure system in practice. We propose several small changes in
>> browser behavior and HTTP standards that will make HTTP authentication
>> schemes, such as digest authentication, a viable option in future
>> application development.
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
> SECURITY IMPLICATIONS:
>
> Low. "Skein" has written separately (not on bugtraq) that the danger
> was "for who want to steal cookies." This speculation concerns sessions
> in which cookies are involved. However, the AirKiosk system does not
> rely on cookies for session management. The AirKiosk system does not
> use cookies at all, and we discourage their use generally.
.
>
1.7.0.1062 and earlier versions are vulnerable.
V. WORKAROUND
Proper input validation and session management will fix the vulnerabilities.
VI. VENDOR RESPONSE
No fix available.
|
