SNS Advisory No.98
Cybozu Garoon Session Fixation Vulnerability
Discovered on:30 Oct 2006
Released on:3 Jul 2008
Severity:
Medium
Overview:
Cybozu Garoon has a vulnerability that could allow an attacker to hijack a user's session when authenticating the user with a session ID fixed by the attacker. The attacker can impersonate a legitimate user and gain access to the application to launch further attacks.
Description:
Cybozu Garoon is a Web-based groupware application suite.
Cybozu Garoon has a session fixation vulnerability that could allow an attacker to use a session ID fixed by the attacker due to an error in handling session IDs in the login page.
Exploitation of the vulnerability could allow attackers to login the application in the login page by impersonating a legitimate user such as administrator to launch further attacks.
Affected Products and Versions:
Cybozu Garoon 2.0.0 - 2.1.3
Solution:
The vulnerability can be fixed by updating the software to Cybozu Garoon 2.5.0 or later.
Discovered by:
Yoshihiro Ishikawa (LAC)
Thanks to:
This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible for any claims, losses or damages caused by the use of information provided here.
This advisory is available at the following URL:
http://www.lac.co.jp/english/advisory/98_e.html
Reference
Category Menu
