You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/05/12 03:19:12 UTC
[jira] [Commented] (OPENMEETINGS-1399) OpenMeetings is vulnerable
to session fixation
[ https://issues.apache.org/jira/browse/OPENMEETINGS-1399?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15281153#comment-15281153 ]
ASF subversion and git services commented on OPENMEETINGS-1399:
---------------------------------------------------------------
Commit 1743452 from [~solomax] in branch 'application/branches/3.1.x'
[ https://svn.apache.org/r1743452 ]
[OPENMEETINGS-1399] session cookie is being changed after successful login; code clean-up
> OpenMeetings is vulnerable to session fixation
> ----------------------------------------------
>
> Key: OPENMEETINGS-1399
> URL: https://issues.apache.org/jira/browse/OPENMEETINGS-1399
> Project: Openmeetings
> Issue Type: Bug
> Components: BuildsAndReleases, HTML5
> Affects Versions: 3.1.1
> Environment: Ubuntu 14.04.4
> Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
> Reporter: Michal S
> Assignee: Maxim Solodovnik
> Priority: Critical
> Fix For: 3.1.2, 3.2.0, 4.0.0
>
>
> The cookie JSESSIONID is issued before login, and is not changed on successful login. Therefore, an attacker can know this cookie and use it after a valid user authenticated it. This holds especially for shared workstations, as they are often found in border police stations.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)