Return-Path: 
 <users-return-181151-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 35217 invoked from network); 10 Jun 2008 21:19:11 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 10 Jun 2008 21:19:11 -0000
Received: (qmail 82648 invoked by uid 500); 10 Jun 2008 21:18:50 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 82626 invoked by uid 500); 10 Jun 2008 21:18:50 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 82609 invoked by uid 99); 10 Jun 2008 21:18:50 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jun 2008 14:18:49 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [64.99.136.148] (HELO smtprelay-virgin.hostedemail.com)
 (64.99.136.148)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jun 2008 21:17:57 +0000
Received: from filter.hostedemail.com (ff-bigip1 [10.5.19.254])
	by smtprelay05.hostedemail.com (Postfix) with SMTP id 9A4CA91636
	for <users@tomcat.apache.org>; Tue, 10 Jun 2008 21:17:44 +0000 (UTC)
X-SpamScore: 1
Received: from [192.168.0.100] (unknown [91.109.170.18])
	(Authenticated sender: med.thomas)
	by omf12.hostedemail.com (Postfix) with ESMTP
	for <users@tomcat.apache.org>; Tue, 10 Jun 2008 21:17:43 +0000 (UTC)
Message-ID: <484EEF75.6050609@apache.org>
Date: Tue, 10 Jun 2008 22:17:41 +0100
From: Mark Thomas <markt@apache.org>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Questions on session hijack bug in 6.0.14 (CVE-2007-5333)
References: <6a2e4e5d0806031315s48e7657elcc60e6ee56a2ba91@mail.gmail.com>
 <4845D469.8090900@apache.org> <484ED960.9070508@christopherschultz.net>
In-Reply-To: <484ED960.9070508@christopherschultz.net>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-session-marker: 6D65642E74686F6D6173
X-Spam-Summary: 
 2,0,0,4c36799c7cac4d03,7c3b34f5a48ccd35,markt@apache.org,,RULES_HIT:152:355:379:599:601:854:945:946:967:973:988:989:1187:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1676:1711:1730:1747:1766:1792:2393:2559:2562:2690:2693:2736:2892:2894:2901:3027:3355:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:4250:5007:6119:7652:7875,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not
 bulk,SPF:fu,MSBL:none,DNSBL:none
X-Virus-Checked: Checked by ClamAV on apache.org


Christopher Schultz wrote:
> Mark Thomas wrote:
> | The worst case is that the attacker will obtain the ID for the current
> | session. With this the attacker has access to the session as the current
> | user.
> 
> Who is "the current user"? If the attacker already has the session id,
> there's no need to hit the server to ... obtain the session id, right?
> Knowledge of the id of a session pretty much gives someone the right to
> act as that user. Any (valid) user has easy access to their session id:
> it's either in the URL or in a cookie value.
This attack requires luring a user who is already logged in to a webapp 
running on a vulnerable Tomcat server to a malicious site. With a suitably 
crafted URL, the attacker is able to steal the authentication cookie for 
the user who was lured to the malicious site. It is the user that is lured 
who is the 'current user'.

> If the only way to exploit this is to have foreknowledge of a session
> id, isn't the security question moot? The session id must have been
> leaked previously, right?
> 
> Maybe I'm seriously missing the point. :(
See above.

> |> 3.) Could this affect authenticated sessions over HTTPS?
> |
> | Yes, depending on the authentication used. Eg, if you use FORM the
> | session is vulnerable, if you use CLIENT-CERT it isn't.
> 
> Why is the session protected if CLIENT-CERT is being used? Because the
> attacker presumably does not have the correct client cert?
Yes.

> If that's the
> case, how was the attack carried out in the first place?
Again, see above.

> |> 7.) If this is as big of a deal as it looks like, why is there no more
> |> information available / more questions being posted / the world seems
> |> shockingly quiet about this.
> |
> | I think your worst case assumption re Q2 has lead to an over estimate of
> | the impact of this.
> | It is made worse when an app allows user provided data to find its way
> | unfiltered into cookie content - this shouldn't happen and where it does
> | should be easy to fix.
> 
> Any client can send a bogus cookie, though, right? On the other hand,
> what good is sabotaging your own request...?
They can but that is harder (but not impossible) for an attacker to trick a 
client into doing that. When a request parameter is used in/as the cookie 
value the attack is a lot easier.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org