[Full-disclosure] Predefined Post Authentication Session ID Vulnerability



Vulnerability Name: Predefined Post Authentication Session ID Vulnerability
Type: Improper Session Handling
Impact: Session Hijacking
Level: Medium
Date: 10.07.2012
Vendor: Vendor-neutral
Issuer: Gokhan Muharremoglu
E-mail: gokhan.muharremoglu@xxxxxxxxx


VULNERABILITY
If a web application starts a session and defines a session id before a user
authenticated, this session id must be changed after a successful
authentication. If web application uses the same session id before and after
authentication, any legitimate user who has gained the "before
authentication" session id can hijack future "after authentication" sessions
too.


Vulnerable Login Page & Session ID before Authentication
(Status-Line) HTTP/1.1 200 OK
Server Apache/2.2.3 (CentOS)
Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma no-cache
Content-Type text/html
Content-Length 308
Date Tue, 10 Jul 2012 06:16:57 GMT
X-Varnish 1922993981
Age 0
Via 1.1 varnish
Connection keep-alive


Vulnerable Login Page & Authentication Request
(Request-Line) POST /iosec_login_vulnerable.php HTTP/1.1
Host www.iosec.org
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.2.25)
Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-9,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer http://www.iosec.org/iosec_login_vulnerable.php
Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2
Content-Type application/x-www-form-urlencoded
Content-Length 42
POST DATA
user gokhan
pass muharremoglu
submit Login


Vulnerable Login Page & Session ID after Authentication
(Status-Line) HTTP/1.1 200 OK
Server Apache/2.2.3 (CentOS)
Set-Cookie PHPSESSID=8usd2oeo11a8cod9q3lnev9je2; path=/
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma no-cache
Content-Type text/html
Content-Length 308
Date Tue, 10 Jul 2012 06:16:57 GMT
X-Varnish 1922993981
Age 0
Via 1.1 varnish
Connection keep-alive


MITIGATION
To avoid this vulnerability, sessions must be regenerated after a successful
login. In a session fixation attack, attacker fixates (sets) another
person's (victim's) session identifier because of "never regenerated and
validated" session id and this vulnerability can also lead to the Session
Fixation attack.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages