================================================== ocPoral CMS 8.x | Session Hijacking Vulnerability ================================================== 1. OVERVIEW ocPoral CMS 8.x and lower versions are vulnerable to Session Hijacking flaw which could allow attackers to compromise administrator session. 2. PRODUCT DESCRIPTION ocPortal is the website Content Management System (a CMS) for building and maintaining a dynamic website. ocPortal's powerful feature-set means there's always a way to accomplish your vision. Not only does ocPortal's CMS have all the features you'd expect: for instance photo galleries, news, file downloads and community forums/chats, but it does so whilst meeting the highest accessibility and professional standards. It is also smart enough to go beyond page management, to automatically handle search engine optimisation, and provide aggressive hack attack prevention. 3. VULNERABILITY DESCRIPTION The ocPoral CMS generates 7-digit session IDs for logged-in users; thus it is possible to work out a valid session ID through brute forcing. Successful hijacking requires the "Enforce IP addresses for sessions" option be disabled. However, when a user's IP is highly dynamic, this option will likely to be disabled as it would invalidate logged-in sessions. In other way, if a user and an attacker happened to be within the same subnet, the attack would succeed regardless of the "Enforce IP" setting turning on. 4. VERSIONS AFFECTED Tested on version 8.1.2 5. PROOF-OF-CONCEPT/EXPLOIT sample session cookie: ocp_session=8711789 6. SOLUTION No fix is available as of 2012-08-19. Workaround is to set enabled for the option, "Enforce IP addresses for sessions". 7. VENDOR ocPortal Development Team http://www.ocportal.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-07-29: notified vendor, vendor did not plan to release fix because of default deployed workaround 2012-08-19: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bocportal_8x%5D_session_hijacking_vulnerability #yehg [2012-08-19]