[20090101] - Core - JSession SSL Session Disclosure

[admin]

• Project: Joomla!
• SubProject: framework
• Severity: Low
• Versions: 1.5.8 and all previous 1.5 releases
• Exploit type: Session Hijacking/
• Reported Date: 2008-November-20
• Fixed Date: 2009-January-9

Description

When running a site under SSL ONLY (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.* This can allow someone monitoring the network to find the cookie related to the session.* Please note that all data is still transferred securely.

Affected Installs

1.5.8 and lower installs which are run with SSL only (no non-ssl access). *

Solution

Upgrade to latest Joomla! version (1.5.9 or newer), and set force_ssl in global configuration. Alternatively, the php setting session.secure_cookie can be set in .htaccess or php.ini.* Joomla! (all versions) will respect this setting.

Reported By Hanno Boeck

Contact

The JSST at the Joomla! Security Center.




More...