> > Note the p_session_id parameter. This is the only session > > identifier used. They are assigned sequentially to each user as > > they login, and are valid until the user logs out or the session > > times out. Obviously, this makes it trivial to access the sessions > > of other users by guessing the session ID. Automated tools to grab > > this information in bulk as users login over time are also trivial. Related vulnerability: if you pick a session ID below the current range, you get a message "Unable to validate URL". If you try one above the current range, you get "Unable to find URL". Naturally, this makes it trivial to zero in on the current valid session ID range, even by hand.
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 08:14:07 PDT