Menu
▾
▴
[Phpwebsite-security] Session Hijacking Vulnerability
|
From: Steven L. <st...@tu...> - 2005-01-14 19:53:49
|
Hello Everyone, A security vulnerability was recently brought to our attention in which someone could hijack a session if they were able to retrieve a url that had a valid session id in it (ie. HTTP Referrer). This problem only affects sites that allow for the session id to be passed in the url when cookies are rejected. The fix has been applied to the current CVS tree. If you are worried that your site is vulnerable, then the file with the fix can be downloaded from here: http://res1.stddev.appstate.edu/horde/chora/co.php/phpwebsite/core/Core.php?login=2&r=1.135&p=1 FYI: can only be applied to phpWebSite versions 0.9.3-2 or greater Diffs are available here: http://tux.appstate.edu/pipermail/phpwebsite-cvs-notice/2005- January/008774.html Sites which only allow sessions via cookies are not vulnerable. -- The phpWebSite Development Team |
