BID:52900

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

Info

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

Bugtraq ID:	52900
Class:	Input Validation Error
CVE:	CVE-2012-1237 CVE-2012-1238
Remote:	Yes
Local:	No
Published:	Apr 05 2012 12:00AM
Updated:	Apr 05 2012 12:00AM
Credit:	Hiroshi Tokumaru, HASH Consulting Corp
Vulnerable:	Aishizu Inc Sencha SNS 1.0.1

Not Vulnerable:	Aishizu Inc Sencha SNS 1.0.2

Discussion

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

Sencha SNS is prone to session-fixation and cross-site request-forgery vulnerabilities.

An attacker can exploit these issues to hijack an arbitrary session and gain unauthorized access to the affected application, or perform certain administrative actions on user's behalf.

Versions prior to Sencha SNS 1.0.2 are vulnerable.

Exploit / POC

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

To exploit these issues an attacker entices an unsuspecting user into following a malicious URI.

Solution / Fix

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

Solution:
Updates are available. Please see the references for details.

References

Sencha SNS Session Fixation And Cross Site Request Forgery Vulnerabilities

References:

Notice of release Sencha SNS 1.0.2 (Aishizu Inc)
Sencha SNS Homepage (Aishizu Inc)
SENCHA SNS vulnerable to cross-site request forgery (JVN)
SENCHA SNS vulnerable to session fixation (JVN)