RE: [Security Issue] Sessions are visible across multiple clients
Probably partially resolved by the patch I forward previously. From M. Frey La prise de conscience de votre propre ignorance est un grand pas vers la connaissance. -- Benjamin Disraeli -Original Message- From: Amrhein, Thomas [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 5:59 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Security Issue] Sessions are visible across multiple clients Hi all, one session can be visible on multiple clients!! THIS IS A BIG SECURITY PROBLEM! Someone opens his webbrowser and has the session of somebody else. So critical data could be viewed without permission. Somebody can act as somebody else. What's wrong with tomcat's session-handling? I wrote a web application which can reproduce this. I'm working with Tomcat 3.3m1 on WinNT4. On 3.2 I have the same problems sometimes with our application but it is not reproducable there. To reproduce this: - put sessiontest.war in %TOMCAT_HOME%/webapps/ - start Tomcat - open browser1 (Netscape 4.7 or IE5) on machine1 (close it before if it's already open) - locate browser1 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) - browser1: login with name for example 'Testuser1' - browser1: show settings (The name is displayed) - open browser2 on machine2 (close it before if it's already open) - locate browser2 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) Browser2 now sees the same content like browser1 (logged in as Testuser1). Look for the sourcecode in the .war. All objects are session-bound. Normally you should not be logged in. Remember that you are on different machines! They should have different cookies, different sessions, different usernames. Sometimes but not often, they have the same Session-ID (I can not reproduce this). Bug #723: sessions are not properly recycled Perhaps my issue belongs to this. I've seen different bugs reported but not solved belonging to session-handling. #131,152,183,189,267,429,723,731 Can somebody reproduce this behaviour somewhere else? And can this behaviour also happen in Tomcat 3.2/3.2.1 (I don't know the code)? regards, Thomas PS: I'm new to tomcat-dev-mailinglist (two or three hours) to stay tuned. Perhaps it's already discussed and patched. Please inform me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: [Security Issue] Sessions are visible across multiple clients
It has more to do with a bug in SimpleSessionStore.java. It recycles the
session on create, so then the instance is re-used for the next new session.
I've patched it via:
*** SimpleSessionStore.java.origMon Feb 26 14:59:53 2001
--- SimpleSessionStore.java Wed Feb 28 09:36:40 2001
***
*** 426,432
if (session == null) {
session = new ServerSession();
session.setManager( this );
- recycled.put( session );
}
// XXX can return MessageBytes !!!
--- 426,431
- Original Message -
From: "GOMEZ Henri" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, February 28, 2001 8:59 AM
Subject: RE: [Security Issue] Sessions are visible across multiple clients
Probably partially resolved by the patch I forward previously.
From M. Frey
La prise de conscience de votre propre ignorance est un grand pas vers la
connaissance.
-- Benjamin Disraeli
-Original Message-
From: Amrhein, Thomas [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 5:59 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Security Issue] Sessions are visible across multiple clients
Hi all,
one session can be visible on multiple clients!!
THIS IS A BIG SECURITY PROBLEM!
Someone opens his webbrowser and has the session of somebody else.
So critical data could be viewed without permission.
Somebody can act as somebody else.
What's wrong with tomcat's session-handling?
I wrote a web application which can reproduce this.
I'm working with Tomcat 3.3m1 on WinNT4.
On 3.2 I have the same problems sometimes with our application
but it is not reproducable there.
To reproduce this:
- put sessiontest.war in %TOMCAT_HOME%/webapps/
- start Tomcat
- open browser1 (Netscape 4.7 or IE5) on machine1 (close it
before if it's
already open)
- locate browser1 on http://yourtomcat/sessiontest/index.jsp
(a cookie will
be set)
- browser1: login with name for example 'Testuser1'
- browser1: show settings (The name is displayed)
- open browser2 on machine2 (close it before if it's already open)
- locate browser2 on http://yourtomcat/sessiontest/index.jsp
(a cookie will
be set)
Browser2 now sees the same content like browser1 (logged in as
Testuser1).
Look for the sourcecode in the .war. All objects are session-bound.
Normally you should not be logged in.
Remember that you are on different machines! They should have different
cookies, different
sessions, different usernames.
Sometimes but not often, they have the same Session-ID (I can
not reproduce
this).
Bug #723: sessions are not properly recycled
Perhaps my issue belongs to this.
I've seen different bugs reported but not solved belonging to
session-handling.
#131,152,183,189,267,429,723,731
Can somebody reproduce this behaviour somewhere else?
And can this behaviour also happen in Tomcat 3.2/3.2.1 (I
don't know the
code)?
regards,
Thomas
PS: I'm new to tomcat-dev-mailinglist (two or three hours) to
stay tuned.
Perhaps it's already discussed and patched. Please inform me.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
[Security Issue] Sessions are visible across multiple clients
Hi all, one session can be visible on multiple clients!! THIS IS A BIG SECURITY PROBLEM! Someone opens his webbrowser and has the session of somebody else. So critical data could be viewed without permission. Somebody can act as somebody else. What's wrong with tomcat's session-handling? I wrote a web application which can reproduce this. I'm working with Tomcat 3.3m1 on WinNT4. On 3.2 I have the same problems sometimes with our application but it is not reproducable there. To reproduce this: - put sessiontest.war in %TOMCAT_HOME%/webapps/ - start Tomcat - open browser1 (Netscape 4.7 or IE5) on machine1 (close it before if it's already open) - locate browser1 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) - browser1: login with name for example 'Testuser1' - browser1: show settings (The name is displayed) - open browser2 on machine2 (close it before if it's already open) - locate browser2 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) Browser2 now sees the same content like browser1 (logged in as Testuser1). Look for the sourcecode in the .war. All objects are session-bound. Normally you should not be logged in. Remember that you are on different machines! They should have different cookies, different sessions, different usernames. Sometimes but not often, they have the same Session-ID (I can not reproduce this). Bug #723: sessions are not properly recycled Perhaps my issue belongs to this. I've seen different bugs reported but not solved belonging to session-handling. #131,152,183,189,267,429,723,731 Can somebody reproduce this behaviour somewhere else? And can this behaviour also happen in Tomcat 3.2/3.2.1 (I don't know the code)? regards, Thomas PS: I'm new to tomcat-dev-mailinglist (two or three hours) to stay tuned. Perhaps it's already discussed and patched. Please inform me. sessiontest.war - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
