From the oCERT advisory:
AjaxTerm uses a form of random session id generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the following method:
This vulnerability also allows Denial Of Service attacks as it is possible to exhaust the available session ids when performing a brute force attack and, depending on the configured AjaxTerm child command, system resources.
Credit: Michael Greb
ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with
which makes it easier for remote attackers to (1) hijack a session or
(2) cause a denial of service (session ID exhaustion) via a
Created Fedora tracking bugs for AjaxTerm:
All versions: bug #544033
Created attachment 390456 [details]
Debian has release a security advisory for ajaxterm to address this flaw:
Comment in the patch describes what changes they've made. Patch extracted from ajaxterm_0.10-2+lenny1.diff.gz .