Quick.Cart allows a users session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
The vendor was notified early about this vulnerability, but didnt respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Weakness
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Quick.cart | Opensolution | 6.7 (including) | 6.7 (including) |
Extended Description
Such a scenario is commonly observed when:
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user’s account through the active session.
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/196.html
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/31.html
- https://cwe.mitre.org/data/definitions/39.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/61.html