lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2012 11:34:11 +0300
From: Gokhan Muharremoglu <gokhan.muharremoglu@...ec.org>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Predefined Post Authentication Session ID
	Vulnerability

Vulnerability Name: Predefined Post Authentication Session ID Vulnerability 
Type: Improper Session Handling
Impact: Session Hijacking
Level: Medium
Date: 10.07.2012
Vendor: Vendor-neutral
Issuer: Gokhan Muharremoglu
E-mail: gokhan.muharremoglu@...ec.org


VULNERABILITY
If a web application starts a session and defines a session id before a user
authenticated, this session id must be changed after a successful
authentication. If web application uses the same session id before and after
authentication, any legitimate user who has gained the "before
authentication" session id can hijack future "after authentication" sessions
too. 


Vulnerable Login Page & Session ID before Authentication
(Status-Line)   HTTP/1.1 200 OK
Server  Apache/2.2.3 (CentOS)
Set-Cookie      PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma  no-cache
Content-Type    text/html
Content-Length  308
Date    Tue, 10 Jul 2012 06:16:57 GMT
X-Varnish       1922993981
Age     0
Via     1.1 varnish
Connection      keep-alive


Vulnerable Login Page & Authentication Request
(Request-Line)  POST /iosec_login_vulnerable.php HTTP/1.1
Host    www.iosec.org
User-Agent      Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding gzip,deflate
Accept-Charset  ISO-8859-9,utf-8;q=0.7,*;q=0.7
Keep-Alive      115
Connection      keep-alive
Referer  http://www.iosec.org/iosec_login_vulnerable.php
Cookie  PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
Content-Type    application/x-www-form-urlencoded
Content-Length  42
POST DATA
user    gokhan
pass    muharremoglu
submit  Login


Vulnerable Login Page & Session ID after Authentication
 (Status-Line)  HTTP/1.1 200 OK
Server  Apache/2.2.3 (CentOS)
Set-Cookie      PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control   no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma  no-cache
Content-Type    text/html
Content-Length  308
Date    Tue, 10 Jul 2012 06:16:57 GMT
X-Varnish       1922993981
Age     0
Via     1.1 varnish
Connection      keep-alive


MITIGATION
To avoid this vulnerability, sessions must be regenerated after a successful
login. In a session fixation attack, attacker fixates (sets) another
person's (victim's) session identifier because of "never regenerated and
validated" session id and this vulnerability can also lead to the Session
Fixation attack.  		

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ