Joomla: Session hijacking vulnerability, CVE-2008-4122
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4122
http://int21.de/cve/CVE-2008-4122-joomla.html
http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16
Yes, I can reproduce this behavior. The application should reinitialize the
cookie after the login but instead it will keep the previous cookie. An
interesting thing this is valid only for the login_module, the administrator
login page does not automatically redirect to HTTPS by configuration.
