Re: ATG Dynamo issues?

From: Bill Pennington (billp@boarder.org)
Date: 10/05/01


Message-ID: <008501c14d61$64acd7a0$0300a8c0@boarder.org>
From: "Bill Pennington" <billp@boarder.org>
To: "Dom De Vitto" <Dom@DeVitto.com>, <pen-test@securityfocus.com>
Subject: Re: ATG Dynamo issues?
Date: Thu, 4 Oct 2001 22:48:13 -0700

Not a mind blowing issue but I have seen simular products that reuse session
ids between SSL and non-SSL sessions. So you can capture a session id during
a non-ssl request then insert it into an SSL session and "hi-jack" the
session.

----- Original Message -----
From: "Dom De Vitto" <Dom@DeVitto.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, October 03, 2001 2:06 AM
Subject: ATG Dynamo issues?

> ATG Dynamo is a dynamic web content/e-commerce system.
>
> Does anyone know of any issues with it?
> (it does have the habit of putting sessionids all over the place, in URLs
> etc, but the session id space looks pretty wide 36^32 - unless the RNG is
> naff?)
>
> Thanks in advance,
> Dom
>
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • Re: Hacking demo - most spectacular techniques
    ... Hacking demo - most spectacular techniques ... Remote VNC install - GUI session on target machine ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Hacking demo - most spectacular techniques
    ... Hacking demo - most spectacular techniques ... Instead of netcat try the crypto version called 'cryptcat'. ... twofish to make the netcat session unreadable with a sniffer. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: pen test help please asap
    ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)