Product: Seapine TestTrack Pro Vulnerable versions: 2010.x, 2011.x Vulnerability: predictable session cookies Vendor informed: 2010-09-07 Fix available: no Info: TestTrack Pro is an issue tracking application from Seapine Vulnerability: TestTrack Pro offers a SOAP interface which works as follows: - connect with username and password to retrieve a list of available projects: getProjectList(username, password); - connect with username and passsword to retrieve a session login cookie on a project: projectLogon(project, username, password); - query the system to retrieve project data using the session login cookie to authenticate: getRecordListForTable (cookie, .....); - log off the session: databaseLogoff(cookie). The session login cookies generated by the server are predictable. Below is a log file from the connections showing the date and time of a log entry, and then the cookie used for authentication: "09/07/10","11:18:19","1246111" "09/07/10","11:18:22","1246115" "09/07/10","11:18:44","1246123" "09/07/10","11:18:46","1246127" "09/07/10","11:18:51","1246132" "09/07/10","11:18:53","1246139" "09/07/10","11:19:16","1246144" "09/07/10","11:19:18","1246151" "09/07/10","11:19:33","1246156" "09/07/10","11:19:35","1246163" "09/07/10","11:19:51","1246167" "09/07/10","11:19:53","1246175" The absolute value of the session cookie is related to the server uptime, starting near 0 when the server is just started and increasing monotonic afterwards. History: 2010-09-07 Seapine was informed and assigned case number 121426 2010-09-08 Seapine confirmed the issue as a known issue and scheduled a fix in 'an upcoming 2011.0.x maintenance release'. 2010-12-20 TestTrack 2011.1 was released without a fix. 2010-12-24 Seapine was asked to publish a security bulletin detailing risks and mitigations despite no fix being availale 2011-02-02 Seapine was informed this issue would be publicly disclosed 2011-02-13 Submitted to bugtrack and published on my blog