Re: Security Paper: Session Fixation Vulnerability in Web-based Applications

Not to be an "I told you so" or anything since I didn't really tell anyone except the guys at SPI Dynamics but I noticed that problem (the reuse of session IDs between non-ssl and SSL sessions) about 3 years ago. It particularly was evident in BroadVision based applications. BroadVision released a paper to there clients I believe.

It really only became a big problem if the app echoed information back to the client. You could get CC info from active sessions pretty easily on some very large BroadVision based sites. If it didn't echo info you where kinda limited in your attack. On most apps i tested you could just add or remove stuff to peoples carts, while funny I did not think it was that big of an issue.

On Thursday, December 19, 2002, at 11:45 AM, Sverre H. Huseby wrote:

> | ACROS Security is pleased to announce the publication of a
Received on Thu Dec 19 17:18:19 2002