Bugtraq mailing list archives

Re: The Easiness of Session Fixation

From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 28 Feb 2003 14:32:07 -0500

As a workaround, you can simply roll-your-own session IDs instead of using
the JRun ones.  This will also make your applications more portable.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Christoph Schnidrig" <christoph.schnidrig () csnc ch>
To: <bugtraq () securityfocus com>
Sent: Friday, February 28, 2003 9:35 AM
Subject: JRun: The Easiness of Session Fixation

Hi all

The the Session-ID Fixation paper available from
http://www.acros.si/papers/session_fixation.pdf mentions that JRun
accepts abritrary Session-ID's and create new sessions with the proposed
Session-ID. This means that it is possible to send the following URL
http://foo/bar?jsessionid=foo123 and the JRun server will accept and use
the proposed Session-ID (foo123). Furthermore the server will set a
cookie in users browser with the proposed Session-ID! Using this
technique, it is much easier to exploit this kind of attack and to enter
in other's web application sessions.

Is anybody aware of a vendor patch or another workaround? Is it possible
to enforce the server to create a new Session-ID?


Thanks a lot

Christoph

Current thread:

JRun: The Easiness of Session Fixation Christoph Schnidrig (Feb 28)
- Re: The Easiness of Session Fixation Kevin Spett (Feb 28)