Bugtraq mailing list archives

Re: Invision Power Board v2.1.4 - session hijacking

From: Peter Conrad <conrad () tivano de>
Date: Thu, 16 Mar 2006 09:36:11 +0100

Hi,

On Tue, Mar 14, 2006 at 07:32:16PM +0100, Hans Wolters wrote:


Once you visit a site where Invision Board is used the first click on  
the Log In link points the visitor to a link with the session id in it:

index.php?s=<session_id>&act=Login&CODE=00

If you copy this session id, login and start a different browser (not  
a new instance) then you only need to copy the session id url into  
the different browser to login without giving the password and login  
name.


so you're saying that you can hijack a user's session if you have access
to his session id? Well, that's not a vulnerability, that's how HTTP
sessions work.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany

Current thread:

Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 15)
- Re: Invision Power Board v2.1.4 - session hijacking Peter Conrad (Mar 16)
- <Possible follow-ups>
- Re: Invision Power Board v2.1.4 - session hijacking matt (Mar 16)
  - Re: Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 16)
    - Re: Invision Power Board v2.1.4 - session hijacking exon (Mar 20)
    - Message not available
    - Re: Invision Power Board v2.1.4 - session hijacking exon (Mar 20)
  - Re: Invision Power Board v2.1.4 - session hijacking Bill Nash (Mar 20)
- Re: Re: Invision Power Board v2.1.4 - session hijacking matt (Mar 20)
  - Re: Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 20)