Red Hat Bugzilla – Bug 806050
tomcat5 vulnerable to session fixation attack
Last modified: 2015-11-01 19:17:07 EST
Description of problem:
Tomcat prior to 5.5.29 is vulnerable to session fixation attacks. In Tomcat 5.5.29 Apache introduced a property in context.xml for authenticators called changeSessionIdOnAuthentication that, when enabled, causes authenticators extending the AuthenticatorBase to change the session ID upon successful authentication. This issue is detailed in https://issues.apache.org/bugzilla/show_bug.cgi?id=45255. I'm requesting that this fix be provided in the version of Tomcat 5 that is bundled with RHEL 5.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. On computer A: Using Firefox and the Live HTTP Headers plugin access a website on your Tomcat 5.5.23 server that uses some form of access control.
2. On computer A: Look for a cookie in Live HTTP Headers for JSESSSIONID and copy the value of that cookie.
3. On computer B: Open Firefox with the Advanced Cookie Manager plugin. Add a cookie for that site (Tools->Cookie Manager, click Add Cookie) for JSESSIONID with the same value identified from Live HTTP Headers.
4. On Computer B: Access a protected URL for that site on your Tomcat 5.5.23 server.
User on computer B can freely use the site as if they were the user on computer A.
Upon successful authentication Tomcat would generate a new session ID, thereby blocking any attempt to set a fixed session by an attacker.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).