Web services that rely on cookies for authentication may be vulnerable to an authentication bypass vulnerability.
Some web sites transmit authentication material (often cookies) without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session. This behavior could allow an attacker on the network path to obtain authentication material and impersonate a legitimate user. Sites that set authentication cookies over https during login and then later transmit the cookies over HTTP are particularly vulnerable, since users are more likely to think that the security of the login page applies to the entire session.
HTTP cookies are text that is sent to a client web browser from a server. Cookies are transmitted back to the server from the client's browser when the client accesses the web site.
A remote unauthenticated attacker who can intercept traffic that is destined to an affected web site may be able to take any action on the web site that the legitimate user can.
There are a number of options that can mitigate this type of vulnerability. Please see the Workarounds and Systems Affected sections of this document for more information, including information about specific vendors.
Workarounds for users
Information about this vulnerability was released by Erratasec.
This document was written by Ryan Giobbi and Dean Reges.
|Date First Published:||2007-09-07|
|Date Last Updated:||2009-04-13 20:02 UTC|