OSCommerce Session Fixation Vulnerability:SecurityFocus(情報元のブックマーク数)
OSCommerceにセッションフィクセーションの脆弱性が存在との事
When a client visits a OSCommerce web page, the server sends a cookie. That cookie will be the session cookie for every further requests. Thus, once logged in, the cookie will be used to authenticate the user.
http://www.securityfocus.com/archive/1/502351
When logging in (without cookies), the URL will look something like http://myserver/myapp/index.php?oscid=sometext
An attacker can send a link crafted like that http://myserver/myapp/index.php?oscid=arbitrarysession. If the admin/user follows the link and logs in, his cookie will still be arbitrarysession. Thus, the attacker can hijack the session because he set the cookie.