[jboss-jira] [JBoss JIRA] (JBPORTAL-2495) Session Fixation

Wells guo (JIRA) jira-events at lists.jboss.org
Mon Dec 9 01:42:06 EST 2013 

Wells guo created JBPORTAL-2495:
-----------------------------------

             Summary: Session Fixation
                 Key: JBPORTAL-2495
                 URL: https://issues.jboss.org/browse/JBPORTAL-2495
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
         Environment: EPP 5.1.0
            Reporter: Wells guo


Hi ,
      Now our security team reported an issue Session Fixation :    after user login project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB can view the private content of the project ,

so do you have any advice about this issue ,  thanks !

Steps to Reproduce:

1. Get cookie from the browser on machine A.

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__

  ^^^^^^^^^^^^^^^^^^^^^^^^

Connection: keep-alive

Cache-Control: max-age=0

 

2. Clear cookie of browser on machine B.

 

3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.

GET XXX HTTP/1.1

Host: XXXXXX

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

 

HTTP/1.1 200 OK

Date: Thu, 15 Aug 2013 10:45:23 GMT

X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure

  ^^^^^^^^^^^^^^^^^^^^^^^^^

Cache-Control: no-cache

Content-Type: text/html;charset=UTF-8

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Length: 24896

 

4. Login in browser of machine B.

 

Actual results:

Both machine A and B login the project successfully.

 

Expected results:

Machine A should not login without providing any credential.

 

Additional info: 

Attacker can modify user's cookie by sending a malicious link to user.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list