Hi, > about three weeks ago, I discovered a hole in IBM's websphere 4.0 session ID I mailed to IBM about this somewhere in March of this year. Although IBM was very clear to me that they considered this no security problem, they released a patch three days after my mail. The reason they didn't consider it a security problem was because their documentation said it was weak or that it should at least be used with basic authentication tied to the session. (The patch they released then also was a big kludge btw, but much more random). > generation. Over a week ago, IBM made a fix for this available, so here is > the information about the vulnerability: > > (everybody who don't want to read about this vulnerability and just want to > know the patch info: install the eFix PQ47663V302) The strange thing is they did the same thing then. I recently found Application Server to have the same problem (same source base). But the big patch cluster for that also fixes it. > THE BUG > during a security assessment for a bank, I collected several sessionids and > they did not look that random to me ... > > SessionID TIME > TWGYLZIAAACVDQ3UUSZQV2I 10:27:12 Actually this cookie is built from four pieces of data: 1. A 2 byte random generated once at startup (thus constant) 2. The local IP number of the system 4. A simple counter 3. Time in millisconds mixed with the counter (but not very effective) You can write a simple decoder which will print them all. And yes it is trivial to exploit. > THANKS > to the IBM websphere team, which fixed the bug pretty fast for the customer. Somehow in a weird way. Greetings, Job -- Job de Haas jobat_private ITSX BV http://www.itsx.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 14:29:25 PDT