Security issue with web hoster

Networking/Security Forums -> Exploits // System Weaknesses

Author: paul.m PostPosted: Mon Nov 15, 2010 9:58 am    Post subject: Security issue with web hoster
    ----
Hello everyone,

I just wanted your opinion on some specific security issue i encountered concerning my web hoster.

This web hoster provides an HTML administrative interface to manage most part of my websites.

It appeared that this administrative interface has a flaw that silently keep you logged-in after a logout as long as a session cookie is available (ie. as long as you don't close your browser or manually clear your cookies).

The only thing that you have to do, is get a url from the browser cache and replay it (the url is partly auto-generated, so you have to get it either from the cache or from the source of a open page). This could lead an attacker to access account management consoles for SSH, FTP, email address, etc.

This issue is not really hard to find (you can easily get some hints about it).

So, I have two questions:
- How would you rate this security risk ? Non critical? Severe?
- Do you have any advice on how I can put pressure on my web host to do something to fix this ? (they have silently ignored my mail so far).


Your feedback would be deeply appreciated.

Paul



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group