[ic] Admin/Login Bug?!

Greg Goble interchange-users@icdevgroup.org
Wed Feb 19 06:51:01 2003


Dear IC Team,

I just came across this on my own site and then tested it on the icdevgroup demo1 site.

I even cleared my cache, cookies, you name it from my pc where I accessed the demo admin site after I copied the url pasted below.

Here's were I see a security problem:

If someone where to get a hold or intercept the URL and session IDs that I'm using in my admin area then they have full access
without username & pwd to my admin area.

I hope someone can prove me wrong. If not, I hope we(you all) can fix this asap. I've been testing this for the last 15 minutes and
I'm getting in every time without the username & pwd. Even worse I have the ability to move around in the admin area.

Here's a URL to IC's demo1 admin area. See if you get prompted for the username & password.
http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=1&id=TwXw32cc&mv_pc=17

Granted if the IC's demo1 clears its session ID's between now and the you all receive it, it may not work. So try it yourself.

Immediate attention, clarification and support is greatly appreciated.

Regards, Greg G.