Next Page >>
sessions
====================================================================================
Team Intell Security Advisory TISA2007-04
------------------------------------------------------------------------------------
Mambo 4.6.2 CMS - Session fixation Issue in backend Administration interface
====================================================================================
Release date: 01.08.2007
Severity: Moderately critical
Remote-Exploit: yes
====================================================================================
Team Intell Security Advisory TISA2007-03
------------------------------------------------------------------------------------
Joomla 1.0.12 CMS - Session fixation Issue in backend Administration interface
====================================================================================
Release date: 10.08.2007
Severity: Moderately critical
Remote-Exploit: yes
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
else
$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user's session datas while
# we bruteforce SQL fields.
$this->bypass_matches();
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
receive notice no later than April 1, 2008 to let you know if your
talk has been accepted.
As we have a single presentation track, please bear in mind that
speaking slots are limited to one hour. While presenters typically
divide the hour into separate presentation and Q&A sessions, you may
structure your time however you see fit. If you think your
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
the application service provider uses a dedicated
RegisteredDomain for the particular application.
>being able to sandbox each document+viewer combo is great. I think you
>should do some usability testing with your suggestion that the file
>retrieval session record be deleted when the document is accessed,
> though.
>This is very likely to cause problems with user agents like Internet
> Explorer
>that have aggressive anti-caching stances for https content, and I
> imagine
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: TLS Protocol Session Renegotiation Security Vulnerability
Aruba Advisory ID: AID-020810
Revision: 1.0
For Public Release on 02/08/2010
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
Essentially the paper details a way in which the attacker can manipulate the
environment to trick an Oracle database into using arbitrary SQL in DATE
functions and data.
A number of people at the time dismissed it as irrelevant because the
attacker required the ALTER SESSIOn privilege. Well, as it turns out, you
don't need the ALTER SESSION privilege at all. Here's why: there are certain
ALTER SESSION statements that can be executed even though the user doesn't
have the ALTER SESSION privilege. The statements that can be executed
without the privilege include those that relate to National Language
Support. Thus a user without ALTER SESSION privileges can change the date
Product: IBM OmniFind Enterprise Edition
Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/
Vulnerabilities:
- Cross-Site-Scripting (XSS)
- Cross-Site-Request-Forgery (XSRF)
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
Application: Rittal CMC-TC PU II Web management
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
announce other SASL mechanisms, as shown in the previous section.
Technical details
=================
The Postfix SMTP server creates a SASL handle for each SMTP session,
when SASL authentication is enabled. The Postfix SMTP server will
use this SASL handle until it closes the SMTP connection (the Postfix
SMTP server may create a new server SASL handle when the client and
server agree to switch from a plaintext session to a TLS-encrypted
session, but this does not eliminate the memory corruption problem).
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Adobe Audition vulnerability processing malformed session file
1. *Advisory Information*
>
>
> > To tell you the truth,
> > the original motivation was just that it's not a
> > good idea to have a valid authentication token
> > (the file retrievel session ID) embedded in a URL.
>
> Sure, it can show up in logs, referer, etc. If
> you don't mind JavaScript, it's easy enough to
> use JavaScript to submit a POST.
>
[MajorSecurity Advisory #53]BLUEPAGE CMS - Cross Site Scripting and Session Fixation Issues
Details
=======
Product: BLUEPAGE CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.bluepage-cms.com/
Vendor-Status: informed
Advisory-Status: published
[MajorSecurity Advisory #54]xt:Commerce - Cross Site Scripting and Session Fixation Issues
Details
=======
Product: xt:Commerce
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.xtcommerce-shop.com/
Vendor-Status: informed
Advisory-Status: published
PUBLIC
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
PUBLIC
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AppSecInc Team SHATTER Security Advisory
Oracle Enterprise Manager vulnerable to Session fixation.
Risk Level:
Low
Affected versions:
Packetninjas L.L.C
www.packetninjas.net
-= Security Advisory =-
Advisory: Zeacom Chat Server JSESSIONID weak SessionID Vulnerability
Release Date: unknown
Last Modified: 09/27/2010
Author: Daniel Clemens [daniel.clemens[at]packetninjas.net]
Application: Zeacom Chat Application <= 5.0 SP4
[HACKATTACK Advisory 20081203]Pro Clan Manager 0.4.2 - Session Fixation
Details
************************
Product: Pro Clan Manager CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.proclanmanager.com/
Vendor-Status: informed
Advisory-Status: not yet published
vulnerability can be exploited to reload the affected device.
Unauthorized information interception
+------------------------------------
The following vulnerabilities reflect the fact that sessions between
an operator workstation and the Cisco Network Building Mediator are
not protected against unauthorized interception. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
[HACKATTACK Advisory 25012009]ConPresso CMS 4.07 - Session Fixation, XFS, XSS
Details
************************
Product: ConPresso CMS 4.07
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.conpresso.de/
Vendor-Status: informed
Advisory-Status: not yet published
Summary
=======
Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering
session when receiving a specific invalid BGP update.
The vulnerability manifests when a BGP peer announces a prefix with a
specific invalid attribute. On receipt of this prefix, the Cisco IOS
XR device will restart the peering session by sending a notification.
The peering session will flap until the sender stops sending the
I logged out of the mobile interface on my AT&T cell phone. "Just in case"
What is also frightening / interesting is that facebook seems to link
the two sessions so that when I logged out of the phone based session to
m.facebook.com, I was also logged out of my web based session as well.
Even more interesting is that trying to login to facebook on two
separate browser sessions won't work. I.e. if I login to facebook on one
computer, and then login again on another computer, or on the same
computer in a different browser (i.e. firefox for one session and i.e.
[HACKATTACK Advisory #3]Social Impress CMS 1.1 - Session Fixation
Details
************************
Product: Impress CMS
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.impresscms.info
Vendor-Status: informed
Advisory-Status: not yet published
Next Page>>
|
