Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SECURITY] CVE-2013-2067 Session fixation with FORM authenticator
From: Mark Thomas <markt () apache org>
Date: Fri, 10 May 2013 09:37:40 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-2067 Session fixation with FORM authenticator

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.32
- - Tomcat 6.0.21 to 6.0.36

Description:
FORM authentication associates the most recent request requiring
authentication with the current session. By repeatedly sending a request
for an authenticated resource while the victim is completing the login
form, an attacker could inject a request that would be executed using
the victim's credentials. This attack has been prevented by changing the
session ID prior to displaying the login page as well as after the user
has successfully authenticated.


Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.33 or later
- - Tomcat 6.0.x users should upgrade to 6.0.37 or later

Credit:
This issue was identified by the Apache Tomcat Security Team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRjLHUAAoJEBDAHFovYFnnUnEP/0R3q0uPTHRXem+Jlx6DLLfs
jL3TD1idxqHcUDJhX/mnePwTxIle5lAbPZn6hBknFPdD77kjyflq4TB3ZPUipsip
s2bKzGGlDDZwzRIY46ZqBRcVXuemCu73BjFNLBP6CvjQwm1/wFGuOS+oRRKKigwQ
Ew1Mau3c6Sb0VIED4yrgvhPwJwdi1+rA1TO87p/8rxQIS9CTcUy6J/MICPdvIQiI
zIfr7pIRSNDk9JeC6Ybr/SC5lYqAox6eqOYYNoQ+5zQ1BcCw/eQgWpm4WYM2IDV3
2eNbjS/dylz5zBQEDbzz9VtReBTncQLF6Do2KDhWxkaUaX2oaOTPKlLiyL0gwA4e
IDpHDl9D5mLmBaJi4Lz14cwey5wNgs28ZqX9JCUaLz7qc03J9Au7PrplOr3Xth/Z
rQqeKVxFZKaIKQOm2NKs7v7bZAhzp/mKt/u9ndnk0uKk2Tf3i6QJ1GtICTY22eB6
Eh4s/o2BJDgGop0P7cTmrAv1uKu6/72eoUJBMyyGCIN67URzVZRwMQnmW6TqZoBt
tASvlTVD53HV3aPdhDHDjP9x/6V6cODD29fzn5op59BWhMVuzf+1lhqphJT0hlQQ
lnuf4H9UWG8I8/OzN7XNabIbVuYyhjYWnt8HI/8N/4cAHfA67fXkcbDqleKOd6qo
Pcp0qDLiZqVFSotSkVFl
=hWpv
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator Mark Thomas (May 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]