tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Gregory" <Rob.Greg...@ibsolutions.com>
Subject RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Tue, 12 Oct 2010 08:38:12 GMT
As far as I know Tomcat will always generate a new id for each session
it generates. As for how they have detected that your application is
vulnerable to session fixation issues etc. try having a look at Burp
Suite http://portswigger.net/burp/ which detects a great deal of web
application flaws.

Rob



> -----Original Message-----
> From: Brian [mailto:bbprefix-mail@yahoo.com]
> Sent: 11 October 2010 17:06
> To: 'Tomcat Users List'
> Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
> 
> Hi Mark,
> 
> Well, it seems that www.securitymetrics.com got crazy! They already
told me
> that they made some changes in their system, and now they are having
> problems (bugs).
> I was just asking myself: How can their automatized procedure know if
I am
> vulnerable to the session fixation problem, if it doesnt know a valid
> user+password, so it is not being able to actually login to my system?
> 
> Anyway, something good came from this: I realized that actually my
system
> was not safe to session fixation. After the login process, it was not
> invalidating the session and creating a new one. Now it is. I just had
to
> program the system to save the attributes, invalidadte the current
session,
> create a new one, and recreate the attributes. Fortunately, Tomcat
generates
> a new session ID for the new session. It seems that it was not
happening in
> the previous versions of Tomcat and in other containers (according to
what I
> have read in some forums), but now it is.
> 
> Thanks for all your help!
> 
> 
> > -----Original Message-----
> > From: Mark Thomas [mailto:markt@apache.org]
> > Sent: Sunday, October 10, 2010 03:09 PM
> > To: Tomcat Users List
> > Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> >
> > On 10/10/2010 20:59, Brian wrote:
> > > Hi Mark,
> > >
> > > Do you understand exactly what vulnerability are they talking
about?
> >
> > No. It doesn't make much sense to me at the minute. I'd ask for more
> specific
> > information.
> >
> > > For
> > > some reason, they have determined that I have it, even though I'm
not
> > > using Jrun but they wrongly assume I am.
> >
> > Looks like it so far. It all depends how they are detecting the
> vulnerability. It
> > could be a false positive but there isn't enough information to
tell.
> >
> > > What do you mean exactly with "app managing its own
authentication"?
> > > Sorry if it is a dumb question.
> >
> > If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat
will
> change
> > the session ID on authentication and therefore protect against
session
> fixation.
> >
> > If the app has its own authentication mechanism it is possible that
the
> session ID
> > will not be changed on authentication creating the possibility for a
> session
> > fixation attack.
> >
> > > I found this on Google, and now that I read it I realize they are
> > > quoting you!  :-)
> > >
http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i
> > > n-Tomc
> > > at-7-The-New-and-the-Improved.htm
> > > Is this the same subject?
> >
> > Yep, although that is looking at Tomcat 7. The session fixation
protection
> (along
> > with a handle of other things originally developed for Tomcat 7) got
> back-ported
> > to Tomcat 6.
> >
> > Mark
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message