<<< Date Index >>>     <<< Thread Index >>>

Re: Invision Power Board v2.1.4 - session hijacking



Hi,

On Tue, Mar 14, 2006 at 07:32:16PM +0100, Hans Wolters wrote:
> 
> Once you visit a site where Invision Board is used the first click on  
> the Log In link points the visitor to a link with the session id in it:
> 
> index.php?s=<session_id>&act=Login&CODE=00
> 
> If you copy this session id, login and start a different browser (not  
> a new instance) then you only need to copy the session id url into  
> the different browser to login without giving the password and login  
> name.

so you're saying that you can hijack a user's session if you have access
to his session id? Well, that's not a vulnerability, that's how HTTP
sessions work.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany