View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007044 | Kali Linux | [All Projects] Kali Package Bug | public | 2021-02-09 09:55 | 2021-06-30 08:49 |
Reporter | vgsgs | Assigned To | rhertzog | ||
Priority | normal | Severity | crash | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | kali-dev | ||||
Target Version | Fixed in Version | ||||
Summary | 0007044: SESSION HIJACKING. | ||||
Description | VULNERABILITY NAME: SESSION HIJACKING. VULNERABILITY URL: https://bugs.kali.org/ DESCRIPTION: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. | ||||
Steps To Reproduce | STEPS TO REPRODUCED: 1) Log in to your account 2) Copy your cookies 3) Logout 4) Clear browser cookies 5) Paste the cookies (copied in step 2) 6) Refresh the page 7) Now you will be logged into the account | ||||
Additional Information | The Patch: Cookies should expire after the logout and previous cookies should not be used for logging into the account, they should expire! IMPACT: The malicious attacker can enter the server and access its information without having to hack a registered account. In addition, he can also make modifications on the server to help him hack it in the future or to simplify a data-stealing operation. | ||||
|
bandicam 2021-02-09 14-59-05-295.mp4 (1,273,295 bytes) |
|
Hello Team, Any update? |
|
"session hijacking" assumes that you have a way to intercept the cookie, and you have not shown any way to intercept said cookie over https. That said I reckon that it would be better if the session cookie was invalidated on logout. But this is a mantis instance so you should file that bug report against mantis, we are not the mantis developers: https://mantisbt.org/bugs/ |
|
Hello Team, But this is valid impactful issue after logout then also we directly entered in account without help of login username and password it means this is valid impactful issue. Please check video and replay back. Regards, Vaibhav |
|
IMHO the Kali team has already replied back above. Just report an issue to the Mantis team if you see any required action for this issue. |
|
https://mantisbt.org/bugs/view.php?id=11296 https://mantisbt.org/bugs/view.php?id=27976 |
|
Nice to see that this is going to be fixed upstream! @kali-bugreport was that you that submitted this upstream or @vgsgs ? |
|
@rhertzog No, not me. I guess it was @vgsgs or any other reader of this issue here. |
|
Looks like this is CVE-2009-20001: https://nvd.nist.gov/vuln/detail/CVE-2009-20001 |
|
Hello Team, Any reward for this valid issue? |
|
Hello Team, Any reward for this valid issue? Regards, Vaibhav |
|
Hello @rhertzog and @kali-bugreport Can i eligible for reward for this vulnerability issue? Please reply back regarding my reward. |
|
Bug bounty information can be found here ~ https://www.kali.org/contact/ |
|
Sir, I check your bug bounty program is there so now your team resolved this issue then how to I process regarding reward? Can I eligible for a reward for this vulnerability issue? Please reply back regarding my reward. |
|
@vgsgs The Kali team is not in charge of the bug bounty program, please stop requesting this on this ticket. The bug bounty program is described here: https://www.offensive-security.com/bug-bounty-program/ Follow the process there, thank you. |
|
Will be fixed on bugs.kali.org the next time that we upgrade our mantis setup. |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-02-09 09:55 | vgsgs | New Issue | |
2021-02-09 09:55 | vgsgs | File Added: bandicam 2021-02-09 14-59-05-295.mp4 | |
2021-02-11 06:12 | vgsgs | Note Added: 0014214 | |
2021-02-11 08:36 | rhertzog | Note Added: 0014215 | |
2021-02-12 10:58 | vgsgs | Note Added: 0014218 | |
2021-02-14 12:21 | kali-bugreport | Note Added: 0014220 | |
2021-03-09 21:11 | kali-bugreport | Note Added: 0014302 | |
2021-03-09 21:26 | rhertzog | Note Added: 0014303 | |
2021-03-10 20:31 | kali-bugreport | Note Added: 0014309 | |
2021-03-13 06:31 | Ehtisham | Issue cloned: 0007094 | |
2021-03-13 06:31 | Ehtisham | Issue cloned: 0007096 | |
2021-03-13 12:22 | kali-bugreport | Note Added: 0014344 | |
2021-03-13 12:36 | vgsgs | Note Added: 0014347 | |
2021-03-15 10:29 | vgsgs | Note Added: 0014352 | |
2021-03-15 10:40 | awesome.juanr155 | Issue cloned: 0007099 | |
2021-03-17 07:02 | vgsgs | Note Added: 0014365 | |
2021-03-23 06:37 | g0tmi1k | Note Added: 0014387 | |
2021-03-30 03:09 | Erika carpenter | Issue cloned: 0007124 | |
2021-04-02 08:29 | vgsgs | Note Added: 0014426 | |
2021-04-02 08:38 | rhertzog | Note Added: 0014427 | |
2021-04-02 08:38 | rhertzog | Assigned To | => rhertzog |
2021-04-02 08:38 | rhertzog | Status | new => resolved |
2021-04-02 08:38 | rhertzog | Resolution | open => fixed |
2021-04-02 08:38 | rhertzog | Note Added: 0014428 | |
2021-06-30 08:49 | g0tmi1k | Priority | immediate => normal |