JVN#07468800
Predictable session ID vulnerability in Access Analyzer CGI by futomi's CGI Cafe
Overview
Access Analyzer CGI from futomi's CGI Cafe contains a predictable session ID vulnerability.
Products Affected
- Access Analyzer CGI Standard Version, Ver 4.0.1 and earlier
- Access Analyzer CGI Professional Version, Ver 4.11.3 and earlier
Description
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a predictable session ID vulnerability.
Impact
A remote attacker could impersonate an administrator of Access Analyzer CGI. As a result, a remote attacker could view access analysis results of the website where the software resides.
Solution
Update the Software
Update to the latest version according to the information provided by the vendor.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2008.12.12
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-5809 |
| JVN iPedia |
JVNDB-2008-000083 |