--nextPart1388685.UiXGmvIMN5
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Joomla: Session hijacking vulnerability, CVE-2008-4122
References
http://cve.mitre.org/cgi-bin/cvename...DCVE-2008-4122
http://int21.de/cve/CVE-2008-4122-joomla.html
http://enablesecurity.com/2008/08/11...-not-save-you/
https://www.defcon.org/html/defcon-1...ers.html#Perry
Description
When configuring a web application to use only ssl (e. g. by forwarding all=
=20
http-requests to https), a user would expect that sniffing and hijacking th=
e=20
session is impossible.
Though, for this to be secure, one needs to set the session cookie to have =
the=20
secure flag. Else the cookie will be transferred through http if the victim=
's=20
browser does a single http-request on the same domain.
Joomla 1.5.8 does not set that flag. I've contacted the Joomla security tea=
m=20
in advance but got no reply.
Disclosure Timeline
2008-11-18: Vendor contacted
2008-12-16 Published advisory
Credits and copyright
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.
Hanno Boeck, http://www.hboeck.de
=2D-=20
Hanno B=C3=B6ck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de
--nextPart1388685.UiXGmvIMN5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEABECAAYFAklIJAcACgkQr2QksT29OyB0/wCdHLkQ4SD9fW7Zj1+mWGaPGjrZ
yjkAn2u+GaZBF1KO8TOK6iy9kHT/SdfT
=+W1N
-----END PGP SIGNATURE-----
--nextPart1388685.UiXGmvIMN5--