--nextPart1388685.UiXGmvIMN5
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Joomla: Session hijacking vulnerability, CVE-2008-4122

References

http://cve.mitre.org/cgi-bin/cvename...DCVE-2008-4122
http://int21.de/cve/CVE-2008-4122-joomla.html
http://enablesecurity.com/2008/08/11...-not-save-you/
https://www.defcon.org/html/defcon-1...ers.html#Perry

Description

When configuring a web application to use only ssl (e. g. by forwarding all=
=20
http-requests to https), a user would expect that sniffing and hijacking th=
e=20
session is impossible.

Though, for this to be secure, one needs to set the session cookie to have =
the=20
secure flag. Else the cookie will be transferred through http if the victim=
's=20
browser does a single http-request on the same domain.

Joomla 1.5.8 does not set that flag. I've contacted the Joomla security tea=
m=20
in advance but got no reply.

Disclosure Timeline

2008-11-18: Vendor contacted
2008-12-16 Published advisory

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosti=
ng.=20
It's licensed under the creative commons attribution license.

Hanno Boeck, http://www.hboeck.de

=2D-=20
Hanno B=C3=B6ck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de

--nextPart1388685.UiXGmvIMN5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAklIJAcACgkQr2QksT29OyB0/wCdHLkQ4SD9fW7Zj1+mWGaPGjrZ
yjkAn2u+GaZBF1KO8TOK6iy9kHT/SdfT
=+W1N
-----END PGP SIGNATURE-----

--nextPart1388685.UiXGmvIMN5--