lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090401233534.27035.qmail@securityfocus.com>
Date: 1 Apr 2009 23:35:34 -0000
From: laurent.desaulniers@...il.com
To: bugtraq@...urityfocus.com
Subject: OSCommerce Session Fixation Vulnerability

There is a flaw in the way OSCommerce handles sessions. 

When a client visits a OSCommerce web page, the server sends a cookie. That cookie will be the session cookie for every further requests. Thus, once logged in, the cookie will be used to authenticate the user.

When logging in (without cookies), the URL will look something like http://myserver/myapp/index.php?oscid=sometext

An attacker can send a link crafted like that http://myserver/myapp/index.php?oscid=arbitrarysession. If the admin/user follows the link and logs in, his cookie will still be arbitrarysession. Thus, the attacker can hijack the session because he set the cookie. 

P.S. Thanks to the whole TeaM Random (www.etsmtl.ca) for this bug. 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ