tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Questions on session hijack bug in 6.0.14 (CVE-2007-5333)
Date Tue, 10 Jun 2008 21:41:28 GMT

Christopher Schultz wrote:
> Mark,
> Mark Thomas wrote:
> | This attack requires luring a user who is already logged in to a webapp
> | running on a vulnerable Tomcat server to a malicious site. With a
> | suitably crafted URL, the attacker is able to steal the authentication
> | cookie for the user who was lured to the malicious site. It is the user
> | that is lured who is the 'current user'.
> Maybe I'm not reading the OP's reference correctly
> ( but it looks
> like the URL provided (in the "exploit") doesn't demonstrate what you
> describe.

You are reading the reference correctly. The example is simple but was 
enough to convince the security team that session hijacking was possible.

When it comes to a choice of trying to produce a POC for what we believe to 
be the worst case scenario or working on a fix, the fix is usually all we 
have time for.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message