Posted: Mon Nov 15, 2010 9:58 am Post subject: Security issue with web hoster
I just wanted your opinion on some specific security issue i encountered concerning my web hoster.
This web hoster provides an HTML administrative interface to manage most part of my websites.
It appeared that this administrative interface has a flaw that silently keep you logged-in after a logout as long as a session cookie is available (ie. as long as you don't close your browser or manually clear your cookies).
The only thing that you have to do, is get a url from the browser cache and replay it (the url is partly auto-generated, so you have to get it either from the cache or from the source of a open page). This could lead an attacker to access account management consoles for SSH, FTP, email address, etc.
This issue is not really hard to find (you can easily get some hints about it).
So, I have two questions:
- How would you rate this security risk ? Non critical? Severe?
- Do you have any advice on how I can put pressure on my web host to do something to fix this ? (they have silently ignored my mail so far).
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum