Not a mind blowing issue but I have seen simular products that reuse session ids between SSL and non-SSL sessions. So you can capture a session id during a non-ssl request then insert it into an SSL session and "hi-jack" the session. ----- Original Message ----- From: "Dom De Vitto" <Domat_private> To: <pen-testat_private> Sent: Wednesday, October 03, 2001 2:06 AM Subject: ATG Dynamo issues? > ATG Dynamo is a dynamic web content/e-commerce system. > > Does anyone know of any issues with it? > (it does have the habit of putting sessionids all over the place, in URLs > etc, but the session id space looks pretty wide 36^32 - unless the RNG is > naff?) > > Thanks in advance, > Dom > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 18:47:39 PDT