[jira] [Commented] (AXIS2-4739) Apache Axis2 Session Fixation

Sat, 04 Jun 2016 09:43:10 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15315567#comment-15315567
 ] 

Hudson commented on AXIS2-4739:
-------------------------------

SUCCESS: Integrated in Axis2 #3547 (See 
[https://builds.apache.org/job/Axis2/3547/])
AXIS2-4739: Protect the admin console against session fixation attacks. 
(veithen: rev 1746842)
* axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
* 
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java


> Apache Axis2 Session Fixation
> -----------------------------
>
>                 Key: AXIS2-4739
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4739
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.4.1, 1.5, 1.5.1
>         Environment: Tested on Linux Ubuntu & Debian. Other distributions may 
> be vulnerable.
>            Reporter: Tiago Ferreira Barbosa
>            Assignee: Andreas Veithen
>            Priority: Critical
>              Labels: security
>
> We have found a Session Fixation Vulnerability in administrative interface of 
> Apache Axis2. When successfully exploited, this vulnerability allows to 
> fixate a session Cookie in the browser of the victim, this way it's possible 
> to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By 
> default, it is accessible at the path /axis2/axis2-admin. To exploit this 
> flaw, we used a Cross Site Script in existing Axis2 
> (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 
> 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
>  
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/";</script>
> The above code when run on the victim's browser, fixates the session cookie 
> sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and 
> recreated on login, giving the user a new session id. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to