Bugtraq mailing list archives

Re: Invision Power Board v2.1.4 - session hijacking

From: matt () invisionpower com
Date: 16 Mar 2006 14:55:14 -0000

This report is ridiculous and quite frankly shows that the author does not understand how IPB works.

Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the 
user's session ID then they can "hijack" your session.

That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.

This report is bogus. Feel free to relabel it "Stateless HTTP authentication potential vulnerability" and remove it 
from Invision Power Board's category.

Current thread:

Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 15)
- Re: Invision Power Board v2.1.4 - session hijacking Peter Conrad (Mar 16)
- <Possible follow-ups>
- Re: Invision Power Board v2.1.4 - session hijacking matt (Mar 16)
  - Re: Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 16)
    - Re: Invision Power Board v2.1.4 - session hijacking exon (Mar 20)
    - Message not available
    - Re: Invision Power Board v2.1.4 - session hijacking exon (Mar 20)
  - Re: Invision Power Board v2.1.4 - session hijacking Bill Nash (Mar 20)
- Re: Re: Invision Power Board v2.1.4 - session hijacking matt (Mar 20)
  - Re: Invision Power Board v2.1.4 - session hijacking Hans Wolters (Mar 20)