Received: from [198.76.25.3] (HELO nns.voyanttech.com)
by voyanttech.com (CommuniGate Pro SMTP 3.4b3)
with SMTP id 3409719 for [EMAIL PROTECTED]; Thu, 09 Jan 2003 03:57:23 -0700
Received: from exchange.sun.com (exchange.sun.com [192.18.33.10])
by nns.voyanttech.com (8.9.3+Sun/8.9.3) with SMTP id EAA06234
for <[EMAIL PROTECTED]>; Thu, 9 Jan 2003 04:45:32 -0500 (EST)
Received: (qmail 26016 invoked by uid 97); 9 Jan 2003 10:58:34 -0000
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Delivered-To: mailing list [EMAIL PROTECTED]
Received: (qmail 26004 invoked by uid 98); 9 Jan 2003 10:58:33 -0000
X-Antivirus: nagoya (v4218 created Aug 14 2002)
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 09 Jan 2003 10:53:50 +0100
From: Remy Maucherat <[EMAIL PROTECTED]>
Organization: ASF
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Tomcat Developers List <[EMAIL PROTECTED]>
Subject: Re: Duplicate session IDs are *common*
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: multipart/mixed;
boundary="------------060506040306030306060400"
X-Spam-Rating: localhost.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
--------------060506040306030306060400
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Schnitzer, Jeff wrote:
> For whatever reason, be it the seed algorithm or the hashing algorithm
> or something else that degenerates the randomness - the duplicate
> session ID problem is very, very common.
>
> I discovered this problem because a few of our users suddenly found
> themselves with the sessions from administrative accounts. Luckily they
> alerted us instead of causing mayhem. There were at least three
> separate occasions of this in the last week - that we heard about.
>
> We have also seen this a number of times with other game components -
> users suddenly finding themselves logged in as other people.
>
> It probably explains the recent post to tomcat-user included below.
>
> Here at my company this problem caused about as much panic as a wildfire
> breaking out in the machine room (read: LOTS). I humbly suggest raising
> the level of concern a bit; post a security bulletin, etc.
We have to make sure the problem is real before putting out any
advisory. You should patch the ManagerBase class to the latest version
to see if it helps (compile the latest version, and put it in
$CATALINA_HOME/server/classes/org/apache/catalina/session). A compiled
version is attached to this email if you can't get it easily.
However:
- We did not have any reports before 4.1.18 that the algorithm used was
weak; it was actually believed it was not, and it had been around for a
long time (I do not believe it was touched at all for months).
- A MD5 hash occurs after getting the SecureRandom. This looks like a
mistake, and decreases the quality of the random a lot, but given the
quality of MD5, that shouldn't be noticeable in the real world.
- If collisions *do* actyually happen, then it is a security problem and
the patch to the StandardManager should fix it. However, it would also
indicate that the ids generated can likely be guessed by an attacker, so
we also have to fix the algorithm.
Remy
--------------060506040306030306060400
Content-Type: application/octet-stream;
name="ManagerBase.class"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
FOR ANTI-VIRUS SECURITY, THIS EMAIL HAS BEEN REJECTED.
REASON:
THIS EMAIL CONTAINED AN ATTACHMENT TYPE OF '.class' WHICH IS NOT PERMITTED.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
