JRun: The Easiness of Session Fixation

From: Christoph Schnidrig (christoph.schnidrigat_private)
Date: Fri Feb 28 2003 - 06:35:36 PST

Next message: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"

Previous message: KF: "Re: Mandrake 9.0 local root exploit"
Next in thread: Kevin Spett: "Re: The Easiness of Session Fixation"
Reply: Kevin Spett: "Re: The Easiness of Session Fixation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all

The the Session-ID Fixation paper available from
http://www.acros.si/papers/session_fixation.pdf mentions that JRun
accepts abritrary Session-ID's and create new sessions with the proposed
Session-ID. This means that it is possible to send the following URL
http://foo/bar?jsessionid=foo123 and the JRun server will accept and use
the proposed Session-ID (foo123). Furthermore the server will set a
cookie in users browser with the proposed Session-ID! Using this
technique, it is much easier to exploit this kind of attack and to enter
in other's web application sessions.

Is anybody aware of a vendor patch or another workaround? Is it possible
to enforce the server to create a new Session-ID?


Thanks a lot

Christoph

Next message: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"
Previous message: KF: "Re: Mandrake 9.0 local root exploit"
Next in thread: Kevin Spett: "Re: The Easiness of Session Fixation"
Reply: Kevin Spett: "Re: The Easiness of Session Fixation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 08:07:50 PST