[
https://issues.apache.org/jira/browse/AXIS2-4739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15315645#comment-15315645
]
Hudson commented on AXIS2-4739:
-------------------------------
SUCCESS: Integrated in axis2-1.7 #70 (See
[https://builds.apache.org/job/axis2-1.7/70/])
AXIS2-4739: Merge recent webapp changes to the 1.7 branch to protect the admin
console against session fixation attacks. (veithen: rev 1746850)
* axis2
*
axis2/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
*
axis2/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
*
axis2/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
* axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
* axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
* axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
*
axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
*
axis2/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
* axis2/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
* axis2/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
* axis2/modules/webapp/src/main/webapp/axis2-web/index.jsp
* axis2/modules/webapp/src/main/webapp/axis2-web/listFaultyService.jsp
* axis2/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
* axis2/modules/webapp/src/main/webapp/axis2-web/listServices.jsp
* axis2/systests/webapp-tests/pom.xml
*
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
*
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
*
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
*
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
*
axis2/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java
> Apache Axis2 Session Fixation
> -----------------------------
>
> Key: AXIS2-4739
> URL: https://issues.apache.org/jira/browse/AXIS2-4739
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.4.1, 1.5, 1.5.1
> Environment: Tested on Linux Ubuntu & Debian. Other distributions may
> be vulnerable.
> Reporter: Tiago Ferreira Barbosa
> Assignee: Andreas Veithen
> Priority: Critical
> Labels: security
> Fix For: 1.8.0
>
>
> We have found a Session Fixation Vulnerability in administrative interface of
> Apache Axis2. When successfully exploited, this vulnerability allows to
> fixate a session Cookie in the browser of the victim, this way it's possible
> to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By
> default, it is accessible at the path /axis2/axis2-admin. To exploit this
> flaw, we used a Cross Site Script in existing Axis2
> (http://www.exploit-db.com/exploits/12721/).
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage
> 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
>
> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/";</script>
> The above code when run on the victim's browser, fixates the session cookie
> sent by the attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and
> recreated on login, giving the user a new session id.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
