CA 2E Web Option 8.1.2 - Authentication Bypass Vulnerability

Details:
 
CA 2E Web Option (r8.1.2) and potentially others, is vulnerable to unauthenticated privilege escalation via a predictable session token.
The POST parameter session token W2E_SSNID appears as follows:
 
W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013CLSpKfgkCJSLKsc600061JKenjKnE
JuNX9GoVjCEbqIuKh6kFRvbzYnUxgQtONszJldyAar3LtTSwsmBLpdlPc5iDH4Zf75
 
 
However, this token is poorly validated, leading to
 
W2E_SSNID=3DW90NIxGoSsN1023ZYW2E735182000013
 
being accepted as a valid session. By incrementing and
decrementing the digits at the end of the value given above, it is
possible to control the session at the given ID. This token is sent as
part of the login page, and as such, can be manipulated by an
unauthenticated attacker, giving them access to any valid session.
Consequentially, it is possible to access the following page as such:
 
https://app.domain.co.uk/web2edoc/close.htm?SSNID=3DW90NIxGoSsN1023ZYW2E735182000026
 
Ending the session specified, which could lead to a denial of service condition.
 
Further details at:
http://portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/

#  0day.today [2018-04-13]  #