Penetration Testing mailing list archives
Re: ATG Dynamo issues?
From: "Bill Pennington" <billp () boarder org>
Date: Thu, 4 Oct 2001 22:48:13 -0700
Not a mind blowing issue but I have seen simular products that reuse session ids between SSL and non-SSL sessions. So you can capture a session id during a non-ssl request then insert it into an SSL session and "hi-jack" the session. ----- Original Message ----- From: "Dom De Vitto" <Dom () DeVitto com> To: <pen-test () securityfocus com> Sent: Wednesday, October 03, 2001 2:06 AM Subject: ATG Dynamo issues?
ATG Dynamo is a dynamic web content/e-commerce system. Does anyone know of any issues with it? (it does have the habit of putting sessionids all over the place, in URLs etc, but the session id space looks pretty wide 36^32 - unless the RNG is naff?) Thanks in advance, Dom --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- ATG Dynamo issues? Dom De Vitto (Oct 04)
- Re: ATG Dynamo issues? Bill Pennington (Oct 05)