axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <>
Subject [jira] [Updated] (AXIS2-4739) Apache Axis2 Session Fixation
Date Sat, 04 Jun 2016 21:45:59 GMT


Andreas Veithen updated AXIS2-4739:
    Fix Version/s:     (was: 1.8.0)

> Apache Axis2 Session Fixation
> -----------------------------
>                 Key: AXIS2-4739
>                 URL:
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.4.1, 1.5, 1.5.1
>         Environment: Tested on Linux Ubuntu & Debian. Other distributions may be
>            Reporter: Tiago Ferreira Barbosa
>            Assignee: Andreas Veithen
>            Priority: Critical
>              Labels: security
>             Fix For: 1.7.4
> We have found a Session Fixation Vulnerability in administrative interface of Apache
Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in
the browser of the victim, this way it's possible to perform session hijacking attacks.
> The vulnerability was found in the administrative interface of Axis2. By default, it
is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script
in existing Axis2 (
> Code Snippet:
> http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;

> Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>
> The above code when run on the victim's browser, fixates the session cookie sent by the
attacker to it.
> To protect against session fixation, the HTTP session must be invalidated and recreated
on login, giving the user a new session id. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message