Vigil@nce - F5 BIG-IP Analytics: predictability of the session cookie
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can predict the session cookie of F5 BIG-IP Analytics,
in order to obtain sensitive information.
Impacted products: BIG-IP Appliance
Severity: 2/4
Creation date: 10/04/2013
DESCRIPTION OF THE VULNERABILITY
The F5 BIG-IP Analytics product uses an HTTP session cookie. For
example:
Set-Cookie: avr_1711324808_0_0_...=1818401381_13212460
However, this cookie can be predicted. Technical details are
unknown.
An attacker can therefore predict the session cookie of F5 BIG-IP
Analytics, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/F5-BIG-IP-Analytics-predictability-of-the-session-cookie-12645