WebApp Sec mailing list archives
Re: JRun: The Easiness of Session Fixation
From: Slow2Show <sl2sho () yahoo com>
Date: 2 Mar 2003 22:08:40 -0000
In-Reply-To: <000c01c2df36$abe5fe40$5d64a8c0@BLENDER> FYI...ASP.NET does the same thing...check out HDMoore's core02 presentation http://digitaloffense.net/confs/core02/ I don't have a recent RC of win03 server so I don't know if this has been/will be fixed pior to release. Untill the vendor fixes it in the product, I see no workaround for this issue. -Slow2Show-
JRun accepts abritrary Session-ID's and create new sessions
with the proposed
Session-ID. This means that it is possible to send the
following URL
http://foo/bar?jsessionid=foo123 and the JRun server
will accept and use
the proposed Session-ID (foo123). Furthermore the
server will set a
cookie in users browser with the proposed Session-ID!
Using this
technique, it is much easier to exploit this kind of
attack and to enter
in other's web application sessions.
Current thread:
- JRun: The Easiness of Session Fixation Christoph Schnidrig (Feb 28)
- <Possible follow-ups>
- Re: JRun: The Easiness of Session Fixation Slow2Show (Mar 02)