AW: JRun: The Easiness of Session Fixation

Hej,

I can talk surely only about php, but this should work also in java:

I save the incoming ip address when the session is created. On each request I compare the incoming ip address with the ip stored in the session. If it does not match there is something foul.

cheers
j

-----Ursprüngliche Nachricht-----
Von: Christoph Schnidrig [mailto:christoph.schnidrig@csnc.ch] Gesendet: Freitag, 28. Februar 2003 15:36 An: bugtraq@securityfocus.com; webappsec@securityfocus.com Betreff: JRun: The Easiness of Session Fixation

Hi all

The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID (foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, it is much easier to exploit this kind of attack and to enter in other's web application sessions.

Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new Session-ID?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Thanks a lot

Christoph Received on Sat Mar 1 15:24:46 2003