Full Disclosure mailing list archives
Re: Verisign Login Hijacking
From: "David A. Koran" <newsfeed () solo net>
Date: Thu, 25 Sep 2003 21:04:21 -0400 (EDT)
Sure enough, this works under most of the browsers I've tried, and at least shows the pittfalls of not cutting your session cookies short, or at least periodically killing, at least, login cookies. Damn, even Microsoft does a better job of it. Dotster and others don't seem to have this problem with session expiration. There are obviously better ways to keep session state between machines, even under SSL. A former employer had me manage that through a Cisco/Arrowpoint CS series content switch, and it worked like a charm, and we didn't expose login sessions, plus the perl proxy code handled authorization and other session keys on the backend through a database.. simple enough idea. I wonder if this poor programming extends itself to their server for signing up and managing digital certificates... Well, if anybody gets a hold of a good spoofed URL, I'm sure we'll see the UN, CNN, NyTimes, or other sites bumped off the map (not just web traffic but entire domains) by unauthorised redirections. I'm sure with enough effort, you can pick the salt up for the session keys and start generating your own logins. I'm not notifying Verisign, I think it's up to them to come to us. Just my personal opinion... Really, didn't these guys take a class in programming for the web, even a distributed systems class would have tought them to bump down and ticketed session down to 5-10 minutes at most. Wouldn't you hash the session with an originating IP or something to make sure the session can be verified and not hijacked? Most folks would rather close the browser window than logout, thus keeping the server session active. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Verisign Login Hijacking SoloNet Newsfeed (Sep 25)
- Re: Verisign Login Hijacking Jeremiah Cornelius (Sep 25)
- Re: Verisign Login Hijacking David A. Koran (Sep 25)
- Re: Verisign Login Hijacking Jonathan A. Zdziarski (Sep 25)
- Re: Verisign Login Hijacking David A. Koran (Sep 25)
- Re: Verisign Login Hijacking Jeremiah Cornelius (Sep 25)