WebApp Sec mailing list archives

Re: JRun: The Easiness of Session Fixation

From: Slow2Show <sl2sho () yahoo com>
Date: 2 Mar 2003 22:08:40 -0000

In-Reply-To: <000c01c2df36$abe5fe40$5d64a8c0@BLENDER>

FYI...ASP.NET does the same thing...check out HDMoore's
core02 presentation
http://digitaloffense.net/confs/core02/

I don't have a recent RC of win03 server so I don't
know if this has been/will be fixed pior to release.

Untill the vendor fixes it in the product, I see no
workaround for this issue.

-Slow2Show-

JRun
accepts abritrary Session-ID's and create new sessions

with the proposed

Session-ID. This means that it is possible to send the

following URL

http://foo/bar?jsessionid=foo123 and the JRun server

will accept and use

the proposed Session-ID (foo123). Furthermore the

server will set a

cookie in users browser with the proposed Session-ID!

Using this

technique, it is much easier to exploit this kind of

attack and to enter

in other's web application sessions.

Current thread:

JRun: The Easiness of Session Fixation Christoph Schnidrig (Feb 28)
- <Possible follow-ups>
- Re: JRun: The Easiness of Session Fixation Slow2Show (Mar 02)