VULHUB ™

IBM WebSphere Application Server uses predictable sequence numbers for session IDs when issuing cookies to users. Specifically, most of the session ID is static and the characters which are variable are not entirely random. This is further compounded by the fact that the session ID is composed of alphanumeric(A-Z, 0-9) characters, so WebSphere cycles through a limited range of possibilities. Consequently, the sequence number may be easily anticipated. If this issue is successfully exploited then it is possible for an attacker to obtain the cookie-based authentication credentials for other users, allowing unauthorized access to the vulnerable application. NOTE: This issue was resolved in IBM WebSphere Application Server 4.0(and later) and any information about patching these versions should be disregarded.

IBM WebSphere Application Server uses predictable sequence numbers for session IDs when issuing cookies to users. Specifically, most of the session ID is static and the characters which are variable are not entirely random. This is further compounded by the fact that the session ID is composed of alphanumeric(A-Z, 0-9) characters, so WebSphere cycles through a limited range of possibilities. Consequently, the sequence number may be easily anticipated. If this issue is successfully exploited then it is possible for an attacker to obtain the cookie-based authentication credentials for other users, allowing unauthorized access to the vulnerable application. NOTE: This issue was resolved in IBM WebSphere Application Server 4.0(and later) and any information about patching these versions should be disregarded.