Hi, On Tue, Mar 14, 2006 at 07:32:16PM +0100, Hans Wolters wrote: > > Once you visit a site where Invision Board is used the first click on > the Log In link points the visitor to a link with the session id in it: > > index.php?s=<session_id>&act=Login&CODE=00 > > If you copy this session id, login and start a different browser (not > a new instance) then you only need to copy the session id url into > the different browser to login without giving the password and login > name. so you're saying that you can hijack a user's session if you have access to his session id? Well, that's not a vulnerability, that's how HTTP sessions work. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
