An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing…
mitre·CWE-330·Published 2021-12-13
An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
Se ha detectado un problema en Reprise RLM versión 14.2. Como las cookies de sesión son pequeñas, un atacante puede secuestrar cualquier sesión presente forzando la cookie de sesión de 4 caracteres hexadecimales en la versión de Windows (la versión de Linux parece tener 8 caracteres). Un atacante puede obtener la parte estática de la cookie (nombre de la cookie) al hacer primero una petición a cualquier página de la aplicación (por ejemplo, /goforms/menú) y guardando el nombre de la cookie enviada con la respuesta. El atacante puede entonces usar el nombre de la cookie e intentar solicitar esa misma página, estableciendo un valor aleatorio para la cookie. Si algún usuario presenta una sesión activa, la página debería volver con el contenido autorizado, cuando se encuentre un valor de cookie válido
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |