WebApp Sec mailing list archives
JRun: The Easiness of Session Fixation
From: "Christoph Schnidrig" <christoph.schnidrig () csnc ch>
Date: Fri, 28 Feb 2003 15:35:36 +0100
Hi all The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID (foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, it is much easier to exploit this kind of attack and to enter in other's web application sessions. Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new Session-ID? Thanks a lot Christoph
Current thread:
- JRun: The Easiness of Session Fixation Christoph Schnidrig (Feb 28)
- <Possible follow-ups>
- Re: JRun: The Easiness of Session Fixation Slow2Show (Mar 02)