[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MajorSecurity Advisory #54]xt:Commerce - Cross Site Scripting and Session Fixation Issues

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [MajorSecurity Advisory #54]xt:Commerce - Cross Site Scripting and Session Fixation Issues
From: admin@xxxxxxxxxxxxxxxx
Date: 22 Sep 2008 18:09:05 -0000

It's not the "PHPSESSID" parameter - instead it's the "XTCsid" parameter which 
is vulnerable to a session fixation attack. 

Workaround: 
================
Update to xt:Commerce 3.0.4 SP 2.1

Prev by Date: Cross Site Scripting (XSS) Vulnerabilitiy in fuzzylime (cms) >=3.02, CVE-2008-3098
Next by Date: [ GLSA 200809-12 ] Newsbeuter: User-assisted execution of arbitrary code
Previous by thread: Re: [MajorSecurity Advisory #54]xt:Commerce - Cross Site Scripting and Session Fixation Issues
Next by thread: [SECURITY] [DSA-1619-2] New python-dns package fixes regression
Index(es):
- Date
- Thread