CherryPy Cookie Session Id Information Disclosure Vulnerability
Related Files:
http://packetstormsecurity.com/0402-exploits/ASPportal.txtASP Portal suffers from multiple vulnerabilities that can lead to disclosure of authentication information, disclosure of user information, execution of arbitrary code remotely, modification of user information, and identity spoofing. Cookie hijacking exploit enclosed. Authored By Manuel L�pez
http://packetstormsecurity.com/0107-exploits/xdm-cookie-exploit.cCurrent versions of xdm are sensitive to trivial brute force attack if it is compiled with bad options, mainly HasXdmXauth. Without this option, cookie is generated from gettimeofday(2). If you know starting time of xdm login session, computation of the cookie just takes a few seconds. Authored By Ntf, Sky
http://packetstormsecurity.com/0403-exploits/phpx324.txtPHPX versions 2.x through 3.2.4 fail to create a secure session management engine. A user can obtain a session by simply supplying a uid of the user in which they want to obtain the account from, and as long as their session is in the database, it will allow session hi-jacking to occur. Further-more it is concerning that the session id itself is generated by a simple auto increment field in the MySQL database, making it trivial for an attacker to steal a cookie. Full exploitation included. Authored By Ryan Wray aka HelloWorld
http://packetstormsecurity.com/0608-advisories/cybozuSQL.txtSome SQL injection vulnerabilities have been found in Cybozu Garoon 2 version 2.1.0 for Windows. When exploited by a logged on user, the vulnerabilities allow for manipulation of SQL statements which can lead to disclosure of information from the database, or to cause the backend MySQL database to consume large amount of CPU resources. Homepage: http://vuln.sg/. Authored By Tan Chew Keong
http://packetstormsecurity.com/0610-advisories/NeonWebMail.txt7 vulnerabilities have been found in Neon WebMail for Java. When exploited, these vulnerabilities allow executing of arbitrary JSP code, escalation of user’s privileges, manipulating of user’s emails and user account information, disclosure of files on the server, and potentially cause a DoS via large CPU resource utilization by the MySQL server. Homepage: http://vuln.sg/neonmail506-en.html.
http://packetstormsecurity.com/0601-advisories/advisory_012006.112.txtHardened-PHP Project Security Advisory - Since PHP5 a user supplied session ID is sent back to the user within a Set-Cookie HTTP header. Because there were no checks performed on the validity of this session id, it was possible to inject arbitrary HTTP headers into the response body of applications using PHP’s builtin session functionality by supplying a special crafted session id. Versions 5.1.1 and below are affected. PHP4 is not affected. Homepage: http://www.hardened-php.net/. Authored By Stefan Esser
http://packetstormsecurity.com/0504-advisories/apple_webkit_filedisclosure.txtAppleWebKit XMLHttpRequest arbitrary file disclosure - Apple Safari 1.2+, Apple RSS 2.0 pre-release, OmniGroup OmniWeb 5.1+, as well as other software based on a common engine, are vulnerable to malicious webservers attacking them and retrieving information (arbitrary files on disk). Homepage: http://remahl.se/david/vuln/001/. Authored By David Remahl
http://packetstormsecurity.com/advisories/microsoft/ms00-080Microsoft Security Bulletin (MS00-080) - Microsoft has released a patch that eliminates the “Session ID Cookie Marking” vulnerability in IIS which allows malicious users who can sniff network traffic to hijack another users’s secure web session. Microsoft FAQ on this issue available here.
http://packetstormsecurity.com/0701-exploits/nukedklan17.txtNuked Klan versions 1.7 and below suffer from a remote cookie disclosure vulnerability. Authored By NeoSSJ, Kad
http://packetstormsecurity.com/0702-advisories/02.16.07-1.txtiDefense Security Advisory 02.16.07 - TrendMicro’s ServerProtect product uses a web interface which runs on port TCP 14942 to configure the product. This interface is protected with a user configurable password. Upon successful login, a cookie is set with the name ’splx_2376_info’ and a valid session id as its value. The ServerProtect web application suffers from a design error vulnerability in its authorization checking routines. Attackers can gain full access to the web application by requesting any internal page while supplying their own ’splx_2376_info’ cookie with an arbitrary value. iDefense has confirmed this vulnerability in Trend ServerProtect v1.3 for Linux. This vulnerability is not present in the Windows based versions of Server protect. Homepage: http://www.idefense.com/. Authored By Damian Put
This entry was posted
on Friday, January 25th, 2008 at 8:00 am and is filed under Denial of Service, Insecure File Operations, Linux, SQL Injection, Vulnerabilities, Web Attacks, Windows.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.