lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Jul 2012 09:39:29 +0100
From: Benji <me@...ji.com>
To: Gökhan Muharremoğlu <gokhan.muharremoglu@...ec.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Predefined Post Authentication Session ID
	Vulnerability

Ah, please send more emails explaining the faults of retarded
programmers and serious vulnerabilities, and then link to an owasp
page.

Can you explain HTTPOnly cookies to me? I will only accept your
explanation if you can justify an impact of Critical, a likelihood of
High and a severity of High?

fuq'in kidz...

On Wed, Jul 11, 2012 at 11:20 PM, Gökhan Muharremoğlu
<gokhan.muharremoglu@...ec.org> wrote:
>
> This article explains how this vulnerability works with Session Fixation
> attack.
> https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
>
>> From: gokhan.muharremoglu@...ec.org
>> To: full-disclosure@...ts.grok.org.uk
>> Date: Wed, 11 Jul 2012 11:34:11 +0300
>> Subject: [Full-disclosure] Predefined Post Authentication Session ID
>> Vulnerability
>
>>
>> Vulnerability Name: Predefined Post Authentication Session ID
>> Vulnerability
>> Type: Improper Session Handling
>> Impact: Session Hijacking
>> Level: Medium
>> Date: 10.07.2012
>> Vendor: Vendor-neutral
>> Issuer: Gokhan Muharremoglu
>> E-mail: gokhan.muharremoglu@...ec.org
>>
>>
>> VULNERABILITY
>> If a web application starts a session and defines a session id before a
>> user
>> authenticated, this session id must be changed after a successful< br>>
>> authentication. If web application uses the same session id before and after
>
>> authentication, any legitimate user who has gained the "before
>> authentication" session id can hijack future "after authentication"
>> sessions
>> too.
>>
>>
>> Vulnerable Login Page & Session ID before Authentication
>> (Status-Line) HTTP/1.1 200 OK
>> Server Apache/2.2.3 (CentOS)
>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma no-cache
>> Content-Type text/html
>> Content-Length 308
>> Date Tue, 10 Jul 2012 06:16:57 GMT
>> X-Varnish 1922993981
>> Age 0
>> Via 1.1 varnish
>> Connection keep-alive
>>
>>
>> Vulnerable Login Page & Authentication Request
>> (Request-Line) POST /io sec_login_vulnerable.php HTTP/1.1
>
>> Host www.iosec.org
>> User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
>> Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
>> Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
>> Accept-Encoding gzip,deflate
>> Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7
>> Keep-Alive 115
>> Connection keep-alive
>> Referer http://www.iosec.org/iosec_login_vulnerable.php
>> Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
>> Content-Type application/x-www-form-urlencoded
>> Content-Length 42
>> POST DATA
>> user gokhan
>> pass muharremoglu
>> submit Login
>>
>>
>> Vulnerable Login Page & Session ID after Authentication
>> (Status-Line) HTTP/1.1 200 OK
>> Server Apache/2.2.3 (CentOS)
>> Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
>> Expires Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma no-cache
>> Content-Type text/html
>> Content-Length 308
>> Date Tue, 10 Jul 2012 06:16:57 GMT
>> X-Varnish 1922993981
>> Age 0
>> Via 1.1 varnish
>> Connection keep-alive
>>
>>
>> MITIGATION
>> To avoid this vulnerability, sessions must be regenerated after a
>> successful
>> login. In a session fixation attack, attacker fixates (sets) another
>> person's (victim's) session identifier because of "never regenerated and
>> validated" session id and this vulnerability can also lead to the Session
>> Fixation attack.
>>
>> _______________________________________________
>> Full-Discl osure - We believe in it.
>
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ