Bugtraq mailing list archives
Re: Joomla: Session hijacking vulnerability, CVE-2008-4122
From: darkz.gsa () gmail com
Date: Thu, 18 Dec 2008 04:40:40 -0700
Yes, I can reproduce this behavior. The application should reinitialize the cookie after the login but instead it will keep the previous cookie. An interesting thing this is valid only for the login_module, the administrator login page does not automatically redirect to HTTPS by configuration.
Current thread:
- Joomla: Session hijacking vulnerability, CVE-2008-4122 Hanno Böck (Dec 16)
- <Possible follow-ups>
- Re: Joomla: Session hijacking vulnerability, CVE-2008-4122 darkz . gsa (Dec 18)