axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tiago Ferreira Barbosa (JIRA)" <>
Subject [jira] Reopened: (AXIS2-4739) Apache Axis2 Session Fixation
Date Mon, 14 Jun 2010 20:41:15 GMT


Tiago Ferreira Barbosa reopened AXIS2-4739:

Even if the xss has been corrected, the problem of session fixation is still there because
they are different problems.
The fact that there is no attack vector does not mean it is not vulnerable

Thank you for your attention

> Apache Axis2 Session Fixation
> -----------------------------
>                 Key: AXIS2-4739
>                 URL:
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.5.1, 1.5, 1.4.1
>         Environment: Tested on Linux Ubuntu & Debian. Other distributions may be
>            Reporter: Tiago Ferreira Barbosa
>            Assignee: Glen Daniels
>            Priority: Critical
>             Fix For: 1.6, nightly
> We have found a Session Fixation Vulnerability in administrative interface of Apache
Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in
the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it
is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script
in existing Axis2 (
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;

> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the
attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated
on login, giving the user a new session id. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message