You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Glen Daniels (JIRA)" <ji...@apache.org> on 2010/06/14 22:29:14 UTC

[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation

     [ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Glen Daniels resolved AXIS2-4739.
---------------------------------

         Assignee: Glen Daniels
    Fix Version/s: 1.6
                   nightly
       Resolution: Fixed

The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2).  Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue.  Thanks for the report!


> Apache Axis2 Session Fixation
> -----------------------------
>
>                 Key: AXIS2-4739
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4739
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.5.1, 1.5, 1.4.1
>         Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
>            Reporter: Tiago Ferreira Barbosa
>            Assignee: Glen Daniels
>            Priority: Critical
>             Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1; 
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org