Vigil@nce - Apache Tomcat: obtaining the session identifier even with disableURLRewriting
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can obtain the session identifier of Apache Tomcat, in
order to spoof the identity of the current user.
– Impacted products: Tomcat, Ubuntu
– Severity: 2/4
– Creation date: 25/02/2014
DESCRIPTION OF THE VULNERABILITY
The Apache Tomcat product supports two methods to track a session:
– the session identifier is stored in a cookie
– the session identifier is provided as a parameter on the url
(http://s/;jsessionid=1234)
The second method is potentially dangerous, because the identifier
is logged in proxies logs for example. The disableURLRewriting
option can be used to disable this method.
However, since version 6.0.33, this option is ignored.
An attacker can therefore obtain the session identifier of Apache
Tomcat, in order to spoof the identity of the current user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN