Administrators of many electronic commerce Web sites have yet to plug a year-old security hole that allows malicious users to hijack another user's identity, according to a new survey by Web server information firm Netcraft Ltd.
Over a thousand transactional Web sites, including several high-profile ones, still use predictable session IDs, Netcraft said in the November issue of its monthly server survey, released Monday. The company first informed vendors about the vulnerability in November 2000, it said.
Session IDs are issued to users when they log in and used from then on to identify each page request. A user's ID is displayed in the Web browser address bar or stored on a user's hard disk in a cookie. In this case the IDs are encoded using a simple rule, making them easy to predict, Netcraft said. A malicious user would simply alter the address or cookie on their machine and take over somebody else's session.
The vulnerable systems all use Java Application Servers based on Sun Microsystems Inc.'s reference implementation of the Java Server Developers Kit (JSDK 2.0), Netcraft said. Affected are Java Web Server (JWS) from version 1.1, IBM Corp.'s WebSphere and various versions of Art Technology Group Inc.'s (ATG) Dynamo e-Business Platform, according to Netcraft.
Java Server Pages (JSP) aren't widely deployed by rank-and-file sites, but are often used in professional electronic-commerce Web sites that provide services such as stock trading, banking and ticketing, Netcraft said.