Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re: JRun: The Easiness of Session Fixation

From: Slow2Show <sl2sho(at)yahoo.com>
Date: Sun Mar 02 2003 - 17:08:40 EST

('binary' encoding is not supported, stored as-is)
In-Reply-To: <000c01c2df36$abe5fe40$5d64a8c0@BLENDER>

FYI...ASP.NET does the same thing...check out HDMoore's core02 presentation
http://digitaloffense.net/confs/core02/

I don't have a recent RC of win03 server so I don't know if this has been/will be fixed pior to release.

Untill the vendor fixes it in the product, I see no workaround for this issue.

-Slow2Show-

>JRun
>accepts abritrary Session-ID's and create new sessions
with the proposed
>Session-ID. This means that it is possible to send the
following URL
>http://foo/bar?jsessionid=foo123 and the JRun server
will accept and use
>the proposed Session-ID (foo123). Furthermore the
server will set a
>cookie in users browser with the proposed Session-ID!
Using this
>technique, it is much easier to exploit this kind of
attack and to enter
>in other's web application sessions.
Received on Sun Mar 2 17:58:55 2003

This message: [ Message body ]
Next message: Sarbjit Singh Gill: "RE: Current Project Design, Comments?"
Previous message: Hannes Schmiderer: "Re: AW: JRun: The Easiness of Session Fixation"
In reply to: Christoph Schnidrig: "JRun: The Easiness of Session Fixation"
In reply to Christoph Schnidrig: "JRun: The Easiness of Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library