lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Jun 2010 11:28:52 -0300
From: Tiago Ferreira Barbosa <tiago@...pest.com.br>
To: bugtraq@...urityfocus.com
Subject: Apache Axis Session Fixation Vulnerability

=====[ Tempest Security Intelligence - Advisory #02 / 2010 ]===========


Vulnerability  =>  [  'Apache Axis Session Fixation Vulnerability' ]
      
Authors        =>  ['Tiago Ferreira <tiago *SPAM* tempest.com.br>'
                   'Leandro Oliveira <leandro *SPAM* tempest.com.br>' ]


========[ Table of Contents ]===========================================

 1. Overview
 2. Detailed description
 3. Other contexts & Solutions
 4. Thanks
 5. References


========[ Overview ]============================================================


 * System affected =>  [ 'Apache Axis <= 1.5' ] 
 * Release date:   =>  [ '24 June 2010' ]
 * Impact		  =>  [ 'Successful exploitation of this vulnerability may
lead to remote administrative interface to accept a Session Hijacking' ]
														 

Axis2 [1] claims to be a Web Services / SOAP / WSDL engine, the
successor to the widely used Apache Axis SOAP stack. Nowadays, there are
two implementations of the Apache Axis2 Web services engine - Apache
Axis2/Java and Apache Axis2/C.

We have found a Session Fixation Vulnerability [2][3] in Apache Axis2.
When successfully exploited, this vulnerability allows to fixate a
Session Cookie in the browser of the victim, this way it's possible to
perform session hijacking attacks.

The chances of achieving success increases when the application is
vulnerable to Cross Site Scripting or HTTP Header Injection.


=====[ Detailed description ]===========================================

The vulnerability was found in the administrative interface of Axis2. By
default, it is accessible at the path /axis2/axis2-admin. To exploit
this flaw, we used a Cross Site Script in existing 
Axis2 (http://www.exploit-db.com/exploits/12721/).


Code Snippet:

http://example:8080/axis2/axis2-admin/engagingglobally?submit=%2bEngage
2b&modules=<script>document.cookie="JSESSIONID=C958373831119190D2DC7838BA177980.tomcat1; 
Path=/axis2";document.location="http://example:8080/axis2/axis2-admin/"</script>

The above code when run on the victim's browser, fixates the session
cookie sent by the attacker to it.


=====[ Other contexts & Solutions ]=====================================

As usual, we contacted the Apache Team [4]. Until this date there is no
known fix to solve this flaw.
  

========[ Thanks ]=====================================================

- Tempest Security Intelligence [5] - Pentest Team
- Evandro Curvelo Hora		    - evandro *SPAM* tempest.com.br
 

========[ References ]=================================================

 [1] http://ws.apache.org/axis2/
 [2] http://projects.webappsec.org/Session-Fixation
 [3]
http://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
 [4] https://issues.apache.org/jira/browse/AXIS2-4739
 [5] http://www.tempest.com.br



Powered by blists - more mailing lists