HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #102
From team Ailuropoda Melanoleucas
New advisory by : Samsa
Affected service(s): ultrashare
Severity [lmh] : low
===== Problem =====
The application is vulnerable a 'Fixed Session' attack. This attack
consists in setting the user session before the server. After that,
when the user logins, the server authenticates the cookie without any
validation as shows the next source code portion:
when "login"
options = @db.login @cgi['username'], @cgi['password']
if (options[:errors].length == 0) then
@cgi.session['authorized'] = true
@cgi.session['user'] = @cgi['username']
mainMenu options
else
showLoginForm options
end
Once the session has been authorized, the attacker, who already knows
the sessionId, can access into de restricted zone.
===== Impact =====
- Access to an Admin Zone without authentication
===== Fix =====
To fix this flaw it's important to do an additional validation to the
session value in any critical moment. And if needed, assign a new one.
Rating
[0] Yeah, but in my opinion this is fixed already by your previous fix (see #90)