[JBoss JIRA] (JBPORTAL-2495) Session Fixation
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
Wells guo created JBPORTAL-2495:
-----------------------------------
Summary: Session Fixation
Key: JBPORTAL-2495
URL: https://issues.jboss.org/browse/JBPORTAL-2495
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: EPP 5.1.0
Reporter: Wells guo
Hi ,
Now our security team reported an issue Session Fixation : after user login
project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB
can view the private content of the project ,
so do you have any advice about this issue , thanks !
Steps to Reproduce:
1. Get cookie from the browser on machine A.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__
^^^^^^^^^^^^^^^^^^^^^^^^
Connection: keep-alive
Cache-Control: max-age=0
2. Clear cookie of browser on machine B.
3. Request project homepage on machine B and modify the set-cookie to A's cookie in
the response.
GET XXX HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2013 10:45:23 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure
^^^^^^^^^^^^^^^^^^^^^^^^^
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 24896
4. Login in browser of machine B.
Actual results:
Both machine A and B login the project successfully.
Expected results:
Machine A should not login without providing any credential.
Additional info:
Attacker can modify user's cookie by sending a malicious link to user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
3987
days inactive
3987
days old
0 comments
1 participants
tags (0)
participants (1)
-
Wells guo (JIRA)