what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

drupal-hijack.txt

drupal-hijack.txt
Posted Sep 20, 2008
Authored by Hanno Boeck | Site hboeck.de

Drupal CMS fails to set the secure flag in the session cookie allowing for session hijacking.

tags | advisory
advisories | CVE-2008-3661
SHA-256 | 6d5d4657228cd6039e3ccbfbac2cd8adc8cdb25a11f076f03f379e89ca0016db

drupal-hijack.txt

Change Mirror Download
drupal: Session hijacking vulnerability, CVE-2008-3661

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3661
https://int21.de/cve/CVE-2008-3661-drupal.html
https://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry

Description

When configuring a web application to use only ssl (e. g. by forwarding all
http-requests to https), a user would expect that sniffing and hijacking the
session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the
secure flag. Else the cookie will be transferred through http if the victim's
browser does a single http-request on the same domain.

The drupal CMS is vulnerable to this issue. They don't consider this as a
drupal issue and have not published a fix yet.

Disclosure Timeline

2008-08-13: Vendor contacted
2008-09-20 Published advisory

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.
It's licensed under the creative commons attribution license.

Hanno Boeck, https://www.hboeck.de

--
Hanno Böck Blog: https://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close