You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@openmeetings.apache.org by "Michal S (JIRA)" <ji...@apache.org> on 2016/05/11 12:08:12 UTC

[jira] [Created] (OPENMEETINGS-1399) OpenMeetings is vulnerable to session fixation

Michal S created OPENMEETINGS-1399:
--------------------------------------

             Summary: OpenMeetings is vulnerable to session fixation
                 Key: OPENMEETINGS-1399
                 URL: https://issues.apache.org/jira/browse/OPENMEETINGS-1399
             Project: Openmeetings
          Issue Type: Bug
    Affects Versions: 3.1.1
         Environment: Ubuntu 14.04.4
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
            Reporter: Michal S
            Assignee: Maxim Solodovnik


 The cookie JSESSIONID is issued before login, and is not changed on successful login. Therefore, an attacker can know this cookie and use it after a valid user authenticated it. This holds especially for shared workstations, as they are often found in border police stations.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)