tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Questions on session hijack bug in 6.0.14 (CVE-2007-5333)
Date Tue, 10 Jun 2008 21:41:28 GMT

Christopher Schultz wrote:
> 
> Mark,
> 
> Mark Thomas wrote:
> | This attack requires luring a user who is already logged in to a webapp
> | running on a vulnerable Tomcat server to a malicious site. With a
> | suitably crafted URL, the attacker is able to steal the authentication
> | cookie for the user who was lured to the malicious site. It is the user
> | that is lured who is the 'current user'.
> 
> Maybe I'm not reading the OP's reference correctly
> (http://securitytracker.com/alerts/2007/Aug/1018557.html) but it looks
> like the URL provided (in the "exploit") doesn't demonstrate what you
> describe.

You are reading the reference correctly. The example is simple but was 
enough to convince the security team that session hijacking was possible.

When it comes to a choice of trying to produce a POC for what we believe to 
be the worst case scenario or working on a fix, the fix is usually all we 
have time for.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message