COMMAND

	NetDynamics session ID reusable

SYSTEMS AFFECTED

	NetDynamics 4.x, 5.x

PROBLEM

	In Phuzzy L0gic advisory [www.nmrc.org] :
	

	It appears that the NetDynamics  session  management  package  does  not
	properly manage its user state table. The previously  generated  session
	ID to that of a  legitimate  logged  in  user  remains  valid  for  that
	account for upwards of 15 seconds after login.
	

	Therefore it is possible for an attacker with understanding of  the  web
	application\'s command mappings to hijack random user sessions.
	

	This attack can be carried out in the following manner:
	

	An attacker visits the web application\'s  login  page  where  ndcgi.exe
	generates   a   \'random\'   session   ID   to   sample    the    hidden
	\'SPIDERSESSION\' tag as well as the  \'uniqueValue\'  tag  out  of  the
	html source.
	

	The attacker must then wait for a legitimate user to login.
	

	Append both variables to the end of  a  command  request  (URL  will  be
	wrapped):
	 

	\"http://victim/cgi-bin/ndcgi.exe/[command>mapping]/[command]?SPIDERSESSION=

	[...]&uniqueValue=XXXXXXXXXXXXX\"

	

	The command is executed with the  privileges  of  the  victim,  and  the
	attacker now controls the session.
	

	If NetDynamics is configured to allow multiple logins  from  any  domain
	(default), the victim will not be alerted to the attack.
	

	

	

SOLUTION

	None available
	

	Perhaps configuring NetDynamics to not allow multiple  logins  from  the
	same domain will help alert to such an attack being carried out.