lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2C8DD899-4C21-43C9-9FC0-EFC871151659@xs4all.nl>
Date: Tue, 14 Mar 2006 19:32:16 +0100
From: Hans Wolters <hans.wolters@...all.nl>
To: bugtraq@...urityfocus.com
Subject: Invision Power Board v2.1.4 - session hijacking


Problem:

Invision Board v2.1.4 has a problem with sessions. Once it is  
installed on a server where php is allowed to
use transparant sessions a session can be hijacked by other users.



Testing:

Once you visit a site where Invision Board is used the first click on  
the Log In link points the visitor to a link with the session id in it:

index.php?s=<session_id>&act=Login&CODE=00

If you copy this session id, login and start a different browser (not  
a new instance) then you only need to copy the session id url into  
the different browser to login without giving the password and login  
name.

Any links within the forum where the session_id is linked to the url  
will enable other people (perhaps only
within the same network where the ipnumber is natted) to login when  
users are online and logged in.

Reported:

Contacted the authors on march 1st, no response.
Contacted the author via the email address listed on this list, no  
respons.

Regards,

Hans


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ