SNS Advisory No.94
Aipo/Aipo ASP Session Fixation Vulnerability
Discovered on:28 Sep 2007
Released on:28 Sep 2007
Severity:
Medium
Overview:
Aipo has a vulnerability that allows attackers to hijack the session by authenticating the users with attacker-supplied session ID. Exploitation of the vulnerability allows the attackers to impersonate the authorized user and gain access to the vulnerable application to launch further attacks.
Description:
Aipo is a groupware including intra-blogging (Internal Blog) and social networking service (SNS).
The application is vulnerable to session fixation attacks due to a security flaw in handling session IDs.
This vulnerability could lead to information leakage or falsification of the data since the attacker can impersonate the user and operate the application with privileges of the authorized user.
Affected Products and Versions:
Aipo version 3.0.1 0 and earlier Aipo ASP version 3.0.1 0 and earlier
Solution:
The vulnerability can be fixed by installing the update program, which is available at: http://aipo.aimluck.com/download/update.html
Discovered by:
Yoshihiro Ishikawa (LAC)
Thanks to:
This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
http://jvn.jp/jp/JVN%2370075625/index.html http://www.ipa.go.jp/security/vuln/documents/2007/JVN_70075625.html
Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible for any claims, losses or damages caused by the use of information provided here.
This advisory is available at the following URL:
http://www.lac.co.jp/english/advisory/94_e.html
Reference
Category Menu
