On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote: > Vulnerability Name: Predefined Post Authentication Session ID Vulnerability > Type: Improper Session Handling > Impact: Session Hijacking > Level: Medium > Date: 10.07.2012 > Vendor: Vendor-neutral > Issuer: Gokhan Muharremoglu > E-mail: gokhan.muharremo...@iosec.org > > > VULNERABILITY > If a web application starts a session and defines a session id before a user > authenticated, this session id must be changed after a successful > authentication. If web application uses the same session id before and after > authentication, any legitimate user who has gained the "before > authentication" session id can hijack future "after authentication" sessions > too.
Uh, so, erm, you assume that someone can steal my cookie/set it/whatever although the Same Origin Policy should clearly not allow that, and then, after I have logged in, he can't just steal my cookie? Unless you allow setting the session-ID via an URL or so (which would IMO be pretty stupid), I can't see how this is a realistic, vendor-neutral attack. Could you explain this a bit better? I don't get it.
pgpK4jCF00UNB.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/