How is this a vulnerability? this is a common design trade-off of SSO tokens. In order to support the user opening and closing multiple applications and not requiring them to login again to individual applications (which is the point of SSO) they must invalidate the token in specific instances while leaving a more encompassing SSO token valid until a defined timeout.
You also say you didn't test the difference between SSO mode and Single Server mode. It seems to me that this would be a key test, is it possible that this functionality *does* change when the server knows it does not have to worry about session management across multiple instances?
Furthermore, this alert requires access to the token (which we are left to make assumptions about since no details on length or algorithm were included) which, unless the application only supports HTTP, is a pretty obvious issue and not even worth reporting. If we include web applications that don't invalidate sessions on the server side as reportable instances of vulnerabilities, then we open the flood-gates for worthless advisories.
On 9/12/06, Ferguson, David [EMAIL PROTECTED] wrote:
I. SYNOPSISTitle: Session Token Remains Valid After Logout in IBM Lotus Domino Web Access 7.0.1Release Date: 09/12/2006Affected Application: IBM Lotus Domino Web Access 7.0.1(versions prior to 7.0.1 were not tested but may still be vulnerable).
Nominal Severity: LowSeverity If Successfully Exploited: HighImpact: Attacker impersonates legitimate userMitigating Factors: Requires discovery of a valid LtpaToken to exploit.Discovery: Dave Ferguson, Security Consultant, FishNet Security
Initial Notification of Vendor: 08/28/2006Permanent Advisory Location:http://www.fishnetsecurity.com/csirt/disclosure/ibmII. EXECUTIVE SUMMARY
Vulnerability Overview:In Lotus Domino Web Access (DWA) 7.0.1, the session token used to identify the user (calledLtpaToken) is not invalidated on the server upon user logout.The cookie is removed from the
browser, but the token continues to be recognized by the server until a configurable expiration timeis reached.Attack Overview:The most likely attack scenario is session hijacking or session stealing.Knowing a valid session
token would allow a malicious person to access all functionality of the web application (exceptchanging password, which requires knowledge of the current password).Lotus DWA is a personalinformation management application that includes e-mail, calendar, and task management.By hijacking
(or stealing) a session, an attacker is able to impersonate a legitimate user, and can read the user'se-mail, send e-mail as the user, or change the user's preference settings.III. TECHNICAL DETAIL
Vulnerability Details:When a Lotus DWA user logs in, a cookie called LtpaToken is set into the browser and is usedthroughout the session to uniquely identify the user.When a user logs out of DWA, the cookie is
cleared from the browser, but this action has no effect on the server.The token eventually expireson the server after some configurable amount of time.A user who explicitly logs out of DWA may havea false sense of security.The LtpaToken cookie in his browser is deleted, but the token is still
valid from the server's perspective and can be used by an attacker if he can discover it.Bestpractices in web application security would call for the LtpaToken to be invalidated/destroyed atlogout time.Note that the vulnerability described here was observed with Session authentication
under the Domino Web Engine tab set to Multiple Servers (SSO).The same behavior may occur with theSingle Server configuration as well, but this was not tested.The LtpaToken described here is a component in IBM's Lightweight Third-Party Authentication (LTPA)
technology.The LTPA technology was designed to be a defacto standard across the IBM product family.LTPA is used in both IBM WebSphere and Lotus Domino products and allows for single sign-on acrossphysical servers.For example, Domino can recognize and accept LTPA tokens created by WebSphere.For
more information, please see the IBM redpaper athttp://www.redbooks.ibm.com/redpieces/pdfs/redp4104.pdfIV. MITIGATING FACTORSKeeping the LtpaToken confidential is critical to mitigating this issue.An attacker must be able to
discover a valid LtpaToken before it expires.Because the LtpaToken is sent with each request, LotusDWA should be deployed as a secure application.This means an SSL certificate should be installed onthe server so that encrypted (https) communication between the browser and the server occurs.
Cross-site scripting (XSS) is a common application-level attack that can be used to steal cookies suchas LtpaToken.Running the application under SSL does not hinder XSS attacks.Fortunately, LotusDomino includes a module called Active Content Filter that is highly effective at removing potentially
harmful scripts in e-mail messages.Active Content Filtering should be turned on.Finally, the overall risk level can be lowered by enabling an idle
