=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2004-10-14-2 ------------------------------------------------------------------------- ASPR #2004-10-14-2: Session Fixation in JRun Management Console ========================================================================= Document ID: ASPR #2004-10-14-2-PUB Vendor: Macromedia (http://www.macromedia.com) Target: JRun 4 for Windows, Service Pack 1a Impact: A session fixation vulnerability exists in JRun Management Console, enabling attackers to hijack administrative sessions Severity: High Status: Official patch available, workaround available Discovered by: Mitja Kolsek and Luka Treiber of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2004-10-14-2-PUB.txt Summary ======= A session fixation vulnerability exists in JRun Management Console that enables forcing administrators to log into a preselected session. Product Coverage ================ - JRun 4 for Windows, Service Pack 1a - affected All updaters applied, up to and excluding JRun4 Updater 4. Other versions may also be affected. Analysis ======== JRun employs so-called "session cookies" for HTTP session maintenance. After administrator's login to Management Console, JRun server generates a unique session identifier (session ID) and sends it to administrator's browser as a cookie named JSESSIONID. This session ID effectively becomes a static password for the session, meaning that until the session times out or is closed by the logged in administrator (by logging off), any browser with access to port 8000 of JRun server and knowledge of the session ID will have access to this session, and thereby access to administration of JRun application servers. Management console login process is vulnerable to session fixation (see [1]), allowing an attacker to fix administrator's JSESSIONID cookie in advance and wait for him to log in to management console, thereby providing the attacker with access to the console as well. Solution ======== Macromedia has issued a security bulletin [2] and published JRun4 Updater 4, which fixes this issue. Affected users can download the updater from http://www.macromedia.com/support/jrun/updaters.html Workaround ========== - Don't allow potential attackers access to port 8000 of JRun server. - Always close all browser instances/windows and delete all cookies before logging in to JRun Management Console. References ========== [1] ACROS Security, "Session Fixation Vulnerability in Web-based Applications" http://www.acrossecurity.com/papers/session_fixation.pdf [2] Macromedia Security Bulletin MPSB04-08 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html Acknowledgments =============== We would like to acknowledge Macromedia for response to our notification of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ October 14, 2004: Initial release Copyright ========= (c) 2004 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====