Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

JRun: The Easiness of Session Fixation

From: Christoph Schnidrig <christoph.schnidrig(at)csnc.ch>
Date: Fri Feb 28 2003 - 09:35:36 EST

Hi all

The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID (foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, it is much easier to exploit this kind of attack and to enter in other's web application sessions.

Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new Session-ID?

Thanks a lot

Christoph Received on Fri Feb 28 11:40:57 2003

This message: [ Message body ]
Next message: Bryon Gloden: "Re: URL Scan for IIS"
Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Web Application Source Vulnerability Scanners"
Next in thread: Slow2Show: "Re: JRun: The Easiness of Session Fixation"
Reply: Slow2Show: "Re: JRun: The Easiness of Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library