[29088] in bugtraq
JRun: The Easiness of Session Fixation
daemon@ATHENA.MIT.EDU (Christoph Schnidrig)
Fri Feb 28 11:14:27 2003
From: "Christoph Schnidrig" <christoph.schnidrig@csnc.ch>
To: <bugtraq@securityfocus.com>
Date: Fri, 28 Feb 2003 15:35:36 +0100
Message-ID: <000c01c2df36$abe5fe40$5d64a8c0@BLENDER>
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hi all
The the Session-ID Fixation paper available from
http://www.acros.si/papers/session_fixation.pdf mentions that JRun
accepts abritrary Session-ID's and create new sessions with the proposed
Session-ID. This means that it is possible to send the following URL
http://foo/bar?jsessionid=foo123 and the JRun server will accept and use
the proposed Session-ID (foo123). Furthermore the server will set a
cookie in users browser with the proposed Session-ID! Using this
technique, it is much easier to exploit this kind of attack and to enter
in other's web application sessions.
Is anybody aware of a vendor patch or another workaround? Is it possible
to enforce the server to create a new Session-ID?
Thanks a lot
Christoph
