[ic] Admin/Login Bug?!

Ed LaFrance interchange-users@icdevgroup.org
Wed Feb 19 11:48:01 2003 

At 12:50 PM 02/19/2003 +0000, you wrote:
> > I just came across this on my own site and then tested it on the
> > icdevgroup demo1 site.
> >
> > I even cleared my cache, cookies, you name it from my pc where I
> > accessed the demo admin site after I copied the url pasted below.
> >
> > Here's were I see a security problem:
> >
> > If someone where to get a hold or intercept the URL and session
> > IDs that I'm using in my admin area then they have full access
> > without username & pwd to my admin area.
> >
> > I hope someone can prove me wrong. If not, I hope we(you all) can
> > fix this asap. I've been testing this for the last 15 minutes and
> > I'm getting in every time without the username & pwd. Even worse
> > I have the ability to move around in the admin area.
> >
> > Here's a URL to IC's demo1 admin area. See if you get prompted
> > for the username & password.
> > http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> > 1&id=TwXw32cc&mv_pc=17
> >
> > Granted if the IC's demo1 clears its session ID's between now and
> > the you all receive it, it may not work. So try it yourself.
> >
> > Immediate attention, clarification and support is greatly appreciated.
>
>I'm pretty sure Interchange's session handling stops session hyjacking in
>the way you describe. Granted, if you disable cookies and run your tests on
>the same machine (same IP address) you may appear to be hyjacking a session.
>
>If Interchange sees the same sessionid from a different source then it
>starts a new session. That is why a static page containing Interchange links
>with a sessionid don't result in you getting someone else's session.

I can confirm that - I am intimately familiar with that part of the code, 
because I had to intergrate a relay-response payment system for a 4.8 
catalog last year. The security risk will come if you run your IC server 
with WideOpen set to 'Yes' - then Interchange WILL allow continuity of a 
single session across multiple sources.

- Ed L.


>As an aside, this session management is in contrast the the Vizzavi service
>largest mobile phone network provider (Vodafone) where it is possible to
>hyjack a session as long as the session has not expired.
>
>And no, I didnt get in with the above url.
>
>Jonathan
>www.webmaint.net
>
>
>_______________________________________________
>interchange-users mailing list
>interchange-users@icdevgroup.org
>http://www.icdevgroup.org/mailman/listinfo/interchange-users

===============================================================
New Media E.M.S.              Technology Solutions for Business
463 Main St., Suite D         eCommerce | Consulting | Hosting
Placerville, CA  95667        edl@newmediaems.com
(530) 622-9421                http://www.newmediaems.com
(866) 519-4680 Toll-Free      (530) 622-9426 Fax
===============================================================