RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
As far as I know Tomcat will always generate a new id for each session it generates. As for how they have detected that your application is vulnerable to session fixation issues etc. try having a look at Burp Suite http://portswigger.net/burp/ which detects a great deal of web application flaws. Rob -Original Message- From: Brian [mailto:bbprefix-m...@yahoo.com] Sent: 11 October 2010 17:06 To: 'Tomcat Users List' Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? Hi Mark, Well, it seems that www.securitymetrics.com got crazy! They already told me that they made some changes in their system, and now they are having problems (bugs). I was just asking myself: How can their automatized procedure know if I am vulnerable to the session fixation problem, if it doesnt know a valid user+password, so it is not being able to actually login to my system? Anyway, something good came from this: I realized that actually my system was not safe to session fixation. After the login process, it was not invalidating the session and creating a new one. Now it is. I just had to program the system to save the attributes, invalidadte the current session, create a new one, and recreate the attributes. Fortunately, Tomcat generates a new session ID for the new session. It seems that it was not happening in the previous versions of Tomcat and in other containers (according to what I have read in some forums), but now it is. Thanks for all your help! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 03:09 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i n-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Hi Mark, Well, it seems that www.securitymetrics.com got crazy! They already told me that they made some changes in their system, and now they are having problems (bugs). I was just asking myself: How can their automatized procedure know if I am vulnerable to the session fixation problem, if it doesnt know a valid user+password, so it is not being able to actually login to my system? Anyway, something good came from this: I realized that actually my system was not safe to session fixation. After the login process, it was not invalidating the session and creating a new one. Now it is. I just had to program the system to save the attributes, invalidadte the current session, create a new one, and recreate the attributes. Fortunately, Tomcat generates a new session ID for the new session. It seems that it was not happening in the previous versions of Tomcat and in other containers (according to what I have read in some forums), but now it is. Thanks for all your help! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 03:09 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i n-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JSESSIONID weakness Severity in Tomcat 6.0.29?
Hi, I'm using Tomcat 6.0.29. In my site, I'm using a security certificate from http://www.securitymetrics.com www.securitymetrics.com, which has been invalidated today argumenting the following reason: Description: JRun JSESSIONID weakness Severity: Potential Problem CVE: CVE-2004-1478 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1478 CVE-2004-2182 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2182 Impact: Several vulnerabilities in JRun server could allow an intruder to view arbitrary files, execute arbitrary code, or list directories on the server. Background: JRun is a Java application server from Macromedia. It runs on both Unix and Windows NT/2000 systems, and can act as a standalone server or connect with Apache, IIS or Netscape web servers. ColdFusion is a web application development Solution which can run with or without a web application server. Resolution For JRun 2.3.3, apply the patches referenced in Macromedia Product Security Bulletins [http://www.adobe.com/devnet/security/se curity_zone/asb00-28.html http://www.adobe.com/devnet/security/security_zone/asb00-28.html ] 00-28 and [http://www.adobe.com/devnet/security/se curity_zone/asb00-29.html http://www.adobe.com/devnet/security/security_zone/asb00-29.html ] 00-29. For JRun 3.0 and 3.1, install the cumulative patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb04-08.html http://www.adobe.com/devnet/security/security_zone/mpsb04-08.html ] 04-08. For JRun 4.0, install the cumulative patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb05-13.html http://www.adobe.com/devnet/security/security_zone/mpsb05-13.html ] 05-13 and the patches in Adobe Product Security Bulletin [http://www.adobe.com/support/security/b ulletins/apsb07-05.html http://www.adobe.com/support/security/bulletins/apsb07-05.html ] 07-05 and [http://www.adobe.com/support/security/b ulletins/apsb09-12.html http://www.adobe.com/support/security/bulletins/apsb09-12.html ] 09-12. For ColdFusion MX 6.0 and 6.1, install the patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb04-09.html http://www.adobe.com/devnet/security/security_zone/mpsb04-09.html ] 04-09 and the patch in Adobe Product Security Bulletin [http://www.adobe.com/support/security/b ulletins/apsb07-05.html http://www.adobe.com/support/security/bulletins/apsb07-05.html ] 07-05. Bulletins can be found in the [http://www.adobe.com/support/security/ ] Macromedia Security Zone. Vulnerability Details: Service: http [More] I'm not using Jrun, but I guess the vulnerability applies also to Tomcat 6.0.29 so they treated me as if I was using Jrun with that vulnerability. Does anybody know what should I do to solve this now? I guess they are talking about this issue (please read issue # 2): http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc at-7-The-New-and-the-Improved.htm Brian
Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
On 10/10/2010 20:32, Brian wrote: I'm not using Jrun, but I guess the vulnerability applies also to Tomcat 6.0.29 so they treated me as if I was using Jrun with that vulnerability. That guess has no basis in fact. Does anybody know what should I do to solve this now? There is nothing to fix unless you are running an app that is vulnerable (possible if the app manages its own authentication). If you are, fix your app. I guess they are talking about this issue (please read issue # 2): http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm Did you look at the Tomcat 6.0.x change log? Go read the entries for 6.0.21. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Hi Mark, Do you understand exactly what vulnerability are they talking about? For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Thanks a lot for your response! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 02:46 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:32, Brian wrote: I'm not using Jrun, but I guess the vulnerability applies also to Tomcat 6.0.29 so they treated me as if I was using Jrun with that vulnerability. That guess has no basis in fact. Does anybody know what should I do to solve this now? There is nothing to fix unless you are running an app that is vulnerable (possible if the app manages its own authentication). If you are, fix your app. I guess they are talking about this issue (please read issue # 2): http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i n-Tomcat-7-The-New-and-the-Improved.htm Did you look at the Tomcat 6.0.x change log? Go read the entries for 6.0.21. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Mark, I'm not using either basic or form. I developed my own solution, which works great for me. Assuming that the session fixation is my problem, what would you suggest me to do? Is there any web page on the internet that explains the issue? -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 03:09 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i n-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
Google session fixation -- http://en.wikipedia.org/wiki/Session_fixation On Oct 10, 2010, at 6:24 PM, Brian wrote: Mark, I'm not using either basic or form. I developed my own solution, which works great for me. Assuming that the session fixation is my problem, what would you suggest me to do? Is there any web page on the internet that explains the issue? -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 03:09 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i n-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
From: Brian [mailto:bbprefix-m...@yahoo.com] Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? I'm not using either basic or form. I developed my own solution, which works great for me. Apparently not, or you wouldn't have gotten the bad security review. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
I must say you are right :-( But I will solve it! :-) -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Sunday, October 10, 2010 06:44 PM To: Tomcat Users List Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? From: Brian [mailto:bbprefix-m...@yahoo.com] Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? I'm not using either basic or form. I developed my own solution, which works great for me. Apparently not, or you wouldn't have gotten the bad security review. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Thanks! It was as easy as Googling the subject, but I didn't know what was exactly the name of it. -Original Message- From: Ken Bowen [mailto:kbo...@als.com] Sent: Sunday, October 10, 2010 05:52 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? Google session fixation -- http://en.wikipedia.org/wiki/Session_fixation On Oct 10, 2010, at 6:24 PM, Brian wrote: Mark, I'm not using either basic or form. I developed my own solution, which works great for me. Assuming that the session fixation is my problem, what would you suggest me to do? Is there any web page on the internet that explains the issue? -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, October 10, 2010 03:09 PM To: Tomcat Users List Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? On 10/10/2010 20:59, Brian wrote: Hi Mark, Do you understand exactly what vulnerability are they talking about? No. It doesn't make much sense to me at the minute. I'd ask for more specific information. For some reason, they have determined that I have it, even though I'm not using Jrun but they wrongly assume I am. Looks like it so far. It all depends how they are detecting the vulnerability. It could be a false positive but there isn't enough information to tell. What do you mean exactly with app managing its own authentication? Sorry if it is a dumb question. If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change the session ID on authentication and therefore protect against session fixation. If the app has its own authentication mechanism it is possible that the session ID will not be changed on authentication creating the possibility for a session fixation attack. I found this on Google, and now that I read it I realize they are quoting you! :-) http://www.developer.com/java/web/article.php/3904871/Top-7- Features -i n-Tomc at-7-The-New-and-the-Improved.htm Is this the same subject? Yep, although that is looking at Tomcat 7. The session fixation protection (along with a handle of other things originally developed for Tomcat 7) got back-ported to Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
From: Brian [mailto:bbprefix-m...@yahoo.com] Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? It was as easy as Googling the subject, but I didn't know what was exactly the name of it. More seriously: is there a particular reason you chose to roll your own security mechanism, rather than using a proven, container-managed one? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
To be honest with you, I was not familiar with the options available in the container itself. I am still not familiar indeed. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Sunday, October 10, 2010 07:41 PM To: Tomcat Users List Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? From: Brian [mailto:bbprefix-m...@yahoo.com] Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? It was as easy as Googling the subject, but I didn't know what was exactly the name of it. More seriously: is there a particular reason you chose to roll your own security mechanism, rather than using a proven, container-managed one? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
From: Brian [mailto:bbprefix-m...@yahoo.com] Subject: RE: JSESSIONID weakness Severity in Tomcat 6.0.29? I was not familiar with the options available in the container itself. I am still not familiar indeed. Probably the best place to start researching would be sections 7 and 12 of the servlet spec. You can download a copy of the spec here: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org