Title: UNIT4TETA TETA WEB - Session Fixation Author: Lukasz Miedzinski Date: 08. January 2015 CVE: CVE-2015-1174 Affected software : =================== UNIT4TETA TETA WEB 22.62.3.4 - newest version Older versions are probably affected too. Exploit was tested on : ====================== UNIT4TETA TETA WEB 22.62.3.4 - newest version Description : ============= TETA Web (former TETA Galactica) is an Internet platform interoperating with TETA HR (former TETA Personnel) application. It provides support for the HR departments of small, medium and very large companies. With this platform managers obtain a tool for effective management of subordinate business units, and HR departments can transfer some of their tasks, such as generating reports and printouts, monitoring leave days numbers and periodic examination dates, to employees and their supervisors. Vulnerability : *************** Session Fixation : ========================================= Description : Application is prone to session fixation and other session management issues. For this case an attacker is able to enumerate session id and use session of different user. Vulnerability is confirmed by Vendor. Patch is released Contact : ========= Lukasz[dot]Miedzinski[at]gmail [dot]com