You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Prabath Siriwardena (JIRA)" <ji...@apache.org> on 2010/06/14 22:01:13 UTC

[jira] Commented: (AXIS2-4739) Apache Axis2 Session Fixation

    [ https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878720#action_12878720 ] 

Prabath Siriwardena commented on AXIS2-4739:
--------------------------------------------

Hi;

Axis2 admin console only allows one user to login..? So - to plant this XSS attack it should be the admin who should do this againt him self..

Or am I missing something...

Thanks & regards.
-Prabath

> Apache Axis2 Session Fixation
> -----------------------------
>
>                 Key: AXIS2-4739
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4739
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.5.1, 1.5, 1.4.1
>         Environment: Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.
>            Reporter: Tiago Ferreira Barbosa
>            Priority: Critical
>
> We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1; 
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org