You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org> on 2010/06/14 18:13:14 UTC

[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation

     [ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------

    Description: 
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to 
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.

To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id. 

  was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of  the victim, this way it's possible to perform session hijacking attacks

To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id. 


> Apache Axis2 Session Fixation
> -----------------------------
>
>                 Key: AXIS2-4739
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4739
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.5.1, 1.5, 1.4.1
>         Environment: Tested on Linux Ubuntu, Debian
>            Reporter: Tiago Ferreira Barbosa
>            Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to 
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org