<<< Date Index >>>     <<< Thread Index >>>

Re: Invision Power Board v2.1.4 - session hijacking



This report is ridiculous and quite frankly shows that the author does not 
understand how IPB works.

Yes, the author is correct in finding that if you: copy the user's IP address, 
copy the user's user-agent and copy the user's session ID then they can 
"hijack" your session.

That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.

This report is bogus. Feel free to relabel it "Stateless HTTP authentication 
potential vulnerability" and remove it from Invision Power Board's category.