Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ATG Dynamo issues?

From: "Bill Pennington" <billp () boarder org>
Date: Thu, 4 Oct 2001 22:48:13 -0700
Not a mind blowing issue but I have seen simular products that reuse session
ids between SSL and non-SSL sessions. So you can capture a session id during
a non-ssl request then insert it into an SSL session and "hi-jack" the
session.



----- Original Message -----
From: "Dom De Vitto" <Dom () DeVitto com>
To: <pen-test () securityfocus com>
Sent: Wednesday, October 03, 2001 2:06 AM
Subject: ATG Dynamo issues?



ATG Dynamo is a dynamic web content/e-commerce system.

Does anyone know of any issues with it?
(it does have the habit of putting sessionids all over the place, in URLs
etc, but the session id space looks pretty wide 36^32 - unless the RNG is
naff?)

Thanks in advance,
Dom



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: