[ic] Admin/Login Bug?!

[Mike Heins]

Quoting Jonathan Clark (jonc@webmaint.com):
> > I just came across this on my own site and then tested it on the
> > icdevgroup demo1 site.
> >
> > I even cleared my cache, cookies, you name it from my pc where I
> > accessed the demo admin site after I copied the url pasted below.
> >
> > Here's were I see a security problem:
> >
> > If someone where to get a hold or intercept the URL and session
> > IDs that I'm using in my admin area then they have full access
> > without username & pwd to my admin area.
> >
> > I hope someone can prove me wrong. If not, I hope we(you all) can
> > fix this asap. I've been testing this for the last 15 minutes and
> > I'm getting in every time without the username & pwd. Even worse
> > I have the ability to move around in the admin area.
> >
> > Here's a URL to IC's demo1 admin area. See if you get prompted
> > for the username & password.
> > http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> > 1&id=TwXw32cc&mv_pc=17
> >
> > Granted if the IC's demo1 clears its session ID's between now and
> > the you all receive it, it may not work. So try it yourself.
> >
> > Immediate attention, clarification and support is greatly appreciated.
> 
> I'm pretty sure Interchange's session handling stops session hyjacking in
> the way you describe. Granted, if you disable cookies and run your tests on
> the same machine (same IP address) you may appear to be hyjacking a session.

This is true, and it is why we have the IP address qualification turned on
by default.

If you set WideOpen Yes, you can do it. Which is why I suggest
lowering SessionExpire to 20 minutes or less if you run WideOpen.

You can reduce your exposure to this by running the UI via
https.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike@perusion.com>

There's nothing sweeter than life nor more precious than time.
-- Barney