Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-4739

Apache Axis2 Session Fixation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.4.1, 1.5, 1.5.1
    • Fix Version/s: 1.7.4
    • Component/s: None
    • Labels:
    • Environment:
      Tested on Linux Ubuntu & Debian. Other distributions may be vulnerable.

      Description

      We have found a Session Fixation Vulnerability in administrative interface of Apache Axis2. When successfully exploited, this vulnerability allows to fixate a session Cookie in the browser of the victim, this way it's possible to perform session hijacking attacks.

      The vulnerability was found in the administrative interface of Axis2. By default, it is accessible at the path /axis2/axis2-admin. To exploit this flaw, we used a Cross Site Script in existing Axis2 (http://www.exploit-db.com/exploits/12721/).

      Code Snippet:

      http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage 2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1;
      Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>

      The above code when run on the victim's browser, fixates the session cookie sent by the attacker to it.

      To protect against session fixation, the HTTP session must be invalidated and recreated on login, giving the user a new session id.

        Attachments

          Activity

            People

            • Assignee:
              veithen Andreas Veithen
              Reporter:
              tiagoferreira Tiago Ferreira Barbosa
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: