Ampache session hijacking
| ampache-session-hijacking (36122) |  Medium Risk |
Description:
Ampache is vulnerable to session hijacking, caused by a vulnerability in the session handling code. By persuading the victim to log into the application using a specially-crafted link, a remote attacker could exploit this vulnerability and hijack any known user's Web session.
Platforms Affected:
- Ampache, Ampache prior to 3.3.3.5
- Gentoo, Linux
Remedy:
Upgrade to the latest version of Ampache (3.3.3.5 or later), available from the Ampache Web site. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Gain Access
References:
- Ampache Web site, Ampache 3.3.3.5 release at http://www.ampache.org/announce/3_3_3_5.php.
- Ampache Web site, Ampache at http://www.ampache.org/.
- CVE-2007-4438: Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.
- GLSA-200710-13: Ampache: Multiple vulnerabilities
- SA26542: Ampache Session Fixation and SQL Injection
Reported:
Aug 19, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net