Elxis CMS PHPSESSID session hijacking
| elxis-phpsessid-session-hijacking (45868) |  Medium Risk |
Description:
Elxis CMS could allow a remote attacker to hijack a valid user's session, caused by a vulnerability in the PHPSESSID cookie variable. By setting the PHPSESSID variable to a fixed value, a remote attacker could hijack a victim's session once the victim logs into the application using the set PHPSESSID value.
Platforms Affected:
- Elxis CMS, Elxis CMS 2008.1 rev 2204
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Gain Access
References:
- Elxis Web site, Elxis CMS at http://www.elxis.org/.
- packet storm Web site, Elxis 2008.1 Nemesis suffers from multiple cross site scripting vulnerabilities at http://packetstormsecurity.org/0810-exploits/elxis-xss.txt.
- BID-31764: Elxis CMS 'index.php' Multiple Cross Site Scripting and Session Fixation Vulnerabilities
- CVE-2008-4649: Session fixation vulnerability in Elxis CMS 2008.1 revision 2204 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
Reported:
Oct 14, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net