Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: ATG Dynamo issues?
From: "Bill Pennington" <billp () boarder org>
Date: Thu, 4 Oct 2001 22:48:13 -0700

Not a mind blowing issue but I have seen simular products that reuse session
ids between SSL and non-SSL sessions. So you can capture a session id during
a non-ssl request then insert it into an SSL session and "hi-jack" the
session.



----- Original Message -----
From: "Dom De Vitto" <Dom () DeVitto com>
To: <pen-test () securityfocus com>
Sent: Wednesday, October 03, 2001 2:06 AM
Subject: ATG Dynamo issues?


ATG Dynamo is a dynamic web content/e-commerce system.

Does anyone know of any issues with it?
(it does have the habit of putting sessionids all over the place, in URLs
etc, but the session id space looks pretty wide 36^32 - unless the RNG is
naff?)

Thanks in advance,
Dom



--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
  • ATG Dynamo issues? Dom De Vitto (Oct 04)
    • Re: ATG Dynamo issues? Bill Pennington (Oct 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault