OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target User's Session
Severity Rating: Medium
A vulnerability was reported in OpenVPN Access Server and can be exploited by remote attacker to conduct session fixation attacks to hijack a target user’s session. A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session.
Users are advised to update apply updates.
More information is available on:
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street