[opencms-dev] Session Fixation Vulnerability
Cyrill Brunschwiler
cbrunsch at hsr.ch
Mon Sep 13 18:59:18 CEST 2004
--------------------------------------------------------------------------
Compass Security AG - Advisory August 25th, 2004
http://www.csnc.ch/
--------------------------------------------------------------------------
Application : OpenCMS
Component : core
Version : 5.01
Platforms : all
Vulnerability : session fixation
Risk : critical
Problem-Type : user, session, account hijacking
--------------------------------------------------------------------------
Content:
°°°°°°°°
1) Introduction
2) Who is affected
3) Who is not affected
4) Bugfix
5) Additional papers
--------------------------------------------------------------------------
1) Introduction
°°°°°°°°°°°°°°°
Brunschwiler Cyrill discovered a session fixation problem in OpenCMS 5.01,
an Open Source Content Management System built on Java Servlet Technologie.
Since OpenCMS will not change the session identifier after a successfull
login, hackers may obtain valid session identifiers from the system which
later can be used to phish users accounts.
2) Who is affected:
°°°°°°°°°°°°°°°°°°°
Mainly OpenCMS deployments which run dynamic content and use the OpenCMS
login methods. The vulnerability does not affect the backoffice login. It
does only affect self programmed login procedures which use methods such as
cmso.loginWebUser(username, password);
3) Who is not affected:
°°°°°°°°°°°°°°°°°°°°°°°
OpenCMS deployments which do not take advantage of the OpenCMS built in login
methods and fully static exported sites.
4.a) Bugfix for version 5.01:
°°°°°°°°°°°°°°°°°°°°°°
Because OpenCMS session handling is based on the servlet containers session
handling it does not take care of the login state but only of the application
state. This means that developers should force the servlet container to
change the session identifier in case of a login try because this will avoid
to authenticate sessions of phished users. To solve this issue simply
invalidate the containers session before a login statement.
--- snippet ---
session.invalidate();
cmso.loginWebUser(username, password);
---
4.b) Bugfix for further releases:
°°°°°°°°°°°°°°°°°°°°°°°°
OpenCMS should automatically renew the session after a successfull login
attempt.
5.a) Additional papers - German
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
http://www.csnc.ch/static/download/publications/SessionFixationVulnerablityV1
.0.pdf http://www.securityinfo.ch/phising.html
5.b) Additional papers - English
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
http://www.acros.si/papers/session_fixation.pdf
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.pdf
5.c) Additional papers - About Compass Security
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
http://www.csnc.ch/static/Compass_Profile_de.pdf
More information about the opencms-dev
mailing list