Elxis CMS Forum

Support => Security => Topic started by: Amigamerlin on May 25, 2007, 14:11:12

Title: Security issue
Post by: Amigamerlin on May 25, 2007, 14:11:12

Hi guys,
before all thanks for this wondperfull product.
I'm preparing a website using ELXIS and submitting my site for know the level of security using Acunetix free service. I've got only one medium error related to "PHPSESSID session fixation" and a lot of other low level vulnerability.

This is the complete report:

• PHPSESSID session fixation Medium 1
• Application error message Low 21
• Possible sensitive directories Low 9
• TRACE Method Enabled Low 1
• User credentials are sent in clear text Low 16
• Email address found Informational 2
• Password type input with autocomplete enabled Informational 19

I really would like to know what mean the "PHPSESSID session fixation" Medium vulnerability and if someone can explain me it better.
Thanks a lot for your help and answers.
Bye

Title: Re: Security issue
Post by: datahell on May 25, 2007, 17:50:00

It is almost imposibble for someone to hijack your session. Off course it is also a server/PHP settings issue, not just Elxis. Some servers add the PHPSESSID in the url, I think this is when you have open_basedir restriction in PHP. To hijack your session someone must first know your session. It is very-very-very-very-very difficult for this to be done.

Read this about session fixation: http://phpsec.org/projects/guide/4.html

All other alerts are nothing to worry about.