You are viewing a plain text version of this content. The canonical link for it is here.
Posted to savan-dev@ws.apache.org by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org> on 2010/06/14 18:09:20 UTC
[jira] Created: (AXIS2-4739) Apache Axis2 Session Fixation
Apache Axis2 Session Fixation
-----------------------------
Key: AXIS2-4739
URL: https://issues.apache.org/jira/browse/AXIS2-4739
Project: Axis2
Issue Type: Bug
Affects Versions: 1.4.1, 1.5, 1.5.1
Environment: Tested on Linux Ubuntu, Debian
Reporter: Tiago Ferreira Barbosa
Priority: Critical
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa reopened AXIS2-4739:
-------------------------------------------
Even if the xss has been corrected, the problem of session fixation is still there because they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable
http://www.owasp.org/index.php/Session_fixation
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Thank you for your attention
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Glen Daniels (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Daniels resolved AXIS2-4739.
---------------------------------
Assignee: Glen Daniels
Fix Version/s: 1.6
nightly
Resolution: Fixed
The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2). Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue. Thanks for the report!
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Prabath Siriwardena (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ]
Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------
Hi;
Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..
Or am I missing something...
Thanks & regards.
-Prabath
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Prabath Siriwardena (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ]
Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------
Hi;
Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..
Or am I missing something...
Thanks & regards.
-Prabath
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Issue Comment Edited: (AXIS2-4739) Apache Axis2 Session
Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa edited comment on AXIS2-4739 at 6/14/10 4:21 PM:
------------------------------------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session can be stolen.
was (Author: tiagoferreira):
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable. (was: Tested on Linux Ubuntu, Debian)
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
Code Snippet:
http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Prabath Siriwardena (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ]
Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------
Hi;
Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..
Or am I missing something...
Thanks & regards.
-Prabath
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa commented on AXIS2-4739:
-----------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa commented on AXIS2-4739:
-----------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Issue Comment Edited: (AXIS2-4739) Apache Axis2 Session
Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa edited comment on AXIS2-4739 at 6/14/10 4:21 PM:
------------------------------------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session can be stolen.
was (Author: tiagoferreira):
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable. (was: Tested on Linux Ubuntu, Debian)
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
Code Snippet:
http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa commented on AXIS2-4739:
-----------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Issue Comment Edited: (AXIS2-4739) Apache Axis2 Session
Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa edited comment on AXIS2-4739 at 6/14/10 4:21 PM:
------------------------------------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session can be stolen.
was (Author: tiagoferreira):
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Prabath Siriwardena (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ]
Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------
Hi;
Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..
Or am I missing something...
Thanks & regards.
-Prabath
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa commented on AXIS2-4739:
-----------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Issue Comment Edited: (AXIS2-4739) Apache Axis2 Session
Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa edited comment on AXIS2-4739 at 6/14/10 4:21 PM:
------------------------------------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session can be stolen.
was (Author: tiagoferreira):
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Glen Daniels (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Daniels resolved AXIS2-4739.
---------------------------------
Assignee: Glen Daniels
Fix Version/s: 1.6
nightly
Resolution: Fixed
The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2). Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue. Thanks for the report!
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Glen Daniels (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Daniels resolved AXIS2-4739.
---------------------------------
Assignee: Glen Daniels
Fix Version/s: 1.6
nightly
Resolution: Fixed
The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2). Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue. Thanks for the report!
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa reopened AXIS2-4739:
-------------------------------------------
Even if the xss has been corrected, the problem of session fixation is still there because they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable
http://www.owasp.org/index.php/Session_fixation
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Thank you for your attention
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa commented on AXIS2-4739:
-----------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
I was found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, allows to fix a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Glen Daniels (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Daniels resolved AXIS2-4739.
---------------------------------
Assignee: Glen Daniels
Fix Version/s: 1.6
nightly
Resolution: Fixed
The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2). Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue. Thanks for the report!
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa reopened AXIS2-4739:
-------------------------------------------
Even if the xss has been corrected, the problem of session fixation is still there because they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable
http://www.owasp.org/index.php/Session_fixation
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Thank you for your attention
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in Apache Axis2. When successfully exploited, this vulnerability allows to
fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu, Debian
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa reopened AXIS2-4739:
-------------------------------------------
Even if the xss has been corrected, the problem of session fixation is still there because they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable
http://www.owasp.org/index.php/Session_fixation
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Thank you for your attention
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Prabath Siriwardena (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ]
Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------
Hi;
Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..
Or am I missing something...
Thanks & regards.
-Prabath
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Issue Comment Edited: (AXIS2-4739) Apache Axis2 Session
Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878728#action_12878728 ]
Tiago Ferreira Barbosa edited comment on AXIS2-4739 at 6/14/10 4:21 PM:
------------------------------------------------------------------------
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session can be stolen.
was (Author: tiagoferreira):
Not necessarily, consider the case in which an attacker sends a malicious URL (see code snippet) for the administrator, and when he access the admin page via this URL, your session might have stolen.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable. (was: Tested on Linux Ubuntu, Debian)
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
Code Snippet:
http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Resolved: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Glen Daniels (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Daniels resolved AXIS2-4739.
---------------------------------
Assignee: Glen Daniels
Fix Version/s: 1.6
nightly
Resolution: Fixed
The XSS vulnerability that is the vector for this bug has already been fixed, both on the trunk (for 1.6) and the 1.5 branch (for 1.5.2). Please confirm by grabbing a SNAPSHOT, but if there appears to still be a problem, feel free to re-open this issue. Thanks for the report!
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa reopened AXIS2-4739:
-------------------------------------------
Even if the xss has been corrected, the problem of session fixation is still there because they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable
http://www.owasp.org/index.php/Session_fixation
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Thank you for your attention
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Glen Daniels
> Priority: Critical
> Fix For: 1.6, nightly
>
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable. (was: Tested on Linux Ubuntu, Debian)
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
Code Snippet:
http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[jira] Updated: (AXIS2-4739) Apache Axis2 Session Fixation
Posted by "Tiago Ferreira Barbosa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tiago Ferreira Barbosa updated AXIS2-4739:
------------------------------------------
Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable. (was: Tested on Linux Ubuntu, Debian)
Description:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
Code Snippet:
http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
was:
We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.5.1, 1.5, 1.4.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org