[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [MajorSecurity Advisory #38]eXV2 CMS - Session fixation and
From: Securityaudit () majorsecurity ! de
Date: 2007-04-04 16:48:08
Message-ID: 20070404164808.26174.qmail () securityfocus ! com
[Download RAW message or body]
[MajorSecurity Advisory #38]eXV2 CMS - Session fixation and Cross-Site-Scripting \
Issues
Details
=======
Product: eXV2 CMS <= 2.0.4.3
Severity: moderated
Remote-Exploit: yes
Vendor-URL: http://www.exv2.com/
Vendor-Status: informed
Advisory-Status: published
Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
============
http://www.majorsecurity.de/index_2.php?major_rls=major_rls38
Introduction
============
eXV2 CMS is a Content Management System.
More Details
============
1. Cross Site Scripting:
Input passed directly to the "set_lang" parameter in "archive.php", "article.php", \
"index.php" and "topics.php" is not properly sanitised before being returned to the \
user. This can be exploited to execute arbitrary HTML and script code in a user's \
browser session in context of an affected site.
2. Session fixation:
The Cookie variable "PHPSESSID" can be set to a malicious and arbitrary value.
2.1 Classification:
Session Fixation is an attack technique that forces a user's session ID to an \
explicit value. Depending on the functionality of the target web site, a number of \
techniques can be utilized to "fix" the session ID value. These techniques range from \
Cross-site Scripting exploits to peppering the web site with previously made HTTP \
requests. After a user's session ID has been fixed, the attacker will wait for them \
to login. Once the user does so, the attacker uses the predefined session ID value to \
assume their online identity.
Workaround: [Cross Site Scripting]
=============
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure \
that html tags are not going to be executed.
Example:
$pass = htmlentities($_POST['pass']);
$test = htmlspecialchars($_GET('test'));
?>
Workaround: [Session fixation]
============
1. Do not accept session identifiers from GET / POST variables:
Session identifiers in URL (query string, GET variables) or POST variables are not \
recommended as it simplifies this attack - it is easy to make links or forms which \
sets GET / POST variables.
2.Regenerate SID on each request:
A powerful countermeassure against session fixation is to "regenerate" session \
identifier (SID) on each request. This means that although attacker may trick a user \
into accepting a known SID, the SID will be invalid when attacker attempts to re-use \
the SID.
3. Accept only server generated SID:
One way to improve security is to not accept session identifiers not generated by \
server.
if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;
History/Timeline
================
01.04.2007 discovery of the vulnerabilities
01.04.2007 additional tests with other versions
02.04.2007 contacted the vendor
02.04.2007 vendor confirmed bugs
04.04.2007 advisory is written
04.04.2007 advisory released
MajorSecurity
=======
MajorSecurity is a German penetration testing and security research project
which consists of only one person at the present time.
http://www.majorsecurity.de/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic