JRun: The Easiness of Session Fixation
From: Christoph Schnidrig (christoph.schnidrig@csnc.ch)
Date: 02/28/03
- Previous message: Alan Cox: "NetPBM, multiple vulnerabilities"
- Next in thread: Kevin Spett: "Re: The Easiness of Session Fixation"
- Reply: Kevin Spett: "Re: The Easiness of Session Fixation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Christoph Schnidrig" <christoph.schnidrig@csnc.ch> To: <bugtraq@securityfocus.com> Date: Fri, 28 Feb 2003 15:35:36 +0100
Hi all
The the Session-ID Fixation paper available from
http://www.acros.si/papers/session_fixation.pdf mentions that JRun
accepts abritrary Session-ID's and create new sessions with the proposed
Session-ID. This means that it is possible to send the following URL
http://foo/bar?jsessionid=foo123 and the JRun server will accept and use
the proposed Session-ID (foo123). Furthermore the server will set a
cookie in users browser with the proposed Session-ID! Using this
technique, it is much easier to exploit this kind of attack and to enter
in other's web application sessions.
Is anybody aware of a vendor patch or another workaround? Is it possible
to enforce the server to create a new Session-ID?
Thanks a lot
Christoph
- Next message: KF: "Re: Mandrake 9.0 local root exploit"
- Previous message: Alan Cox: "NetPBM, multiple vulnerabilities"
- Next in thread: Kevin Spett: "Re: The Easiness of Session Fixation"
- Reply: Kevin Spett: "Re: The Easiness of Session Fixation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
