[ic] Admin/Login Bug?!

[Jonathan Clark]

> I just came across this on my own site and then tested it on the
> icdevgroup demo1 site.
>
> I even cleared my cache, cookies, you name it from my pc where I
> accessed the demo admin site after I copied the url pasted below.
>
> Here's were I see a security problem:
>
> If someone where to get a hold or intercept the URL and session
> IDs that I'm using in my admin area then they have full access
> without username & pwd to my admin area.
>
> I hope someone can prove me wrong. If not, I hope we(you all) can
> fix this asap. I've been testing this for the last 15 minutes and
> I'm getting in every time without the username & pwd. Even worse
> I have the ability to move around in the admin area.
>
> Here's a URL to IC's demo1 admin area. See if you get prompted
> for the username & password.
> http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> 1&id=TwXw32cc&mv_pc=17
>
> Granted if the IC's demo1 clears its session ID's between now and
> the you all receive it, it may not work. So try it yourself.
>
> Immediate attention, clarification and support is greatly appreciated.

I'm pretty sure Interchange's session handling stops session hyjacking in
the way you describe. Granted, if you disable cookies and run your tests on
the same machine (same IP address) you may appear to be hyjacking a session.

If Interchange sees the same sessionid from a different source then it
starts a new session. That is why a static page containing Interchange links
with a sessionid don't result in you getting someone else's session.

As an aside, this session management is in contrast the the Vizzavi service
largest mobile phone network provider (Vodafone) where it is possible to
hyjack a session as long as the session has not expired.

And no, I didnt get in with the above url.

Jonathan
www.webmaint.net