WebApp Sec mailing list archives
AW: JRun: The Easiness of Session Fixation
From: "Javor Evstatiev" <Javor.Evstatiev () d-con com>
Date: Sat, 1 Mar 2003 21:13:49 +0100
Hej, I can talk surely only about php, but this should work also in java: I save the incoming ip address when the session is created. On each request I compare the incoming ip address with the ip stored in the session. If it does not match there is something foul. cheers j -----Ursprüngliche Nachricht----- Von: Christoph Schnidrig [mailto:christoph.schnidrig () csnc ch] Gesendet: Freitag, 28. Februar 2003 15:36 An: bugtraq () securityfocus com; webappsec () securityfocus com Betreff: JRun: The Easiness of Session Fixation Hi all The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID (foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, it is much easier to exploit this kind of attack and to enter in other's web application sessions. Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new Session-ID? Thanks a lot Christoph
Current thread:
- AW: JRun: The Easiness of Session Fixation Javor Evstatiev (Mar 01)
- <Possible follow-ups>
- Re: AW: JRun: The Easiness of Session Fixation Hannes Schmiderer (Mar 01)