what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2004-10-14.3

ACROS Security Problem Report 2004-10-14.3
Posted Oct 26, 2004
Authored by Mitja Kolsek, ACROS Security | Site acrossecurity.com

ACROS Security Problem Report #2004-10-14-3 - An HTTP response splitting vulnerability exists in JRun server session management. It allows an attacker to issue an arbitrary HTTP header or HTTP body to a browser. Version affected: JRun 4 for Windows, Service Pack 1a, possibly others.

tags | advisory, web, arbitrary
systems | windows
SHA-256 | e6f43a53cf3a775f98b530eb7119a6ed338615cc3fda3c5261f7bfb46238ec5a

ACROS Security Problem Report 2004-10-14.3

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2004-10-14-3
-------------------------------------------------------------------------
ASPR #2004-10-14-3: Unsanitized Session ID Cookie Allows Modifying Server
Response
=========================================================================

Document ID: ASPR #2004-10-14-3-PUB
Vendor: Macromedia (http://www.macromedia.com)
Target: JRun 4 for Windows, Service Pack 1a
Impact: It is possible to have JRun server issue an arbitrary
HTTP header or body
Severity: Medium
Status: Official patch available
Discovered by: Mitja Kolsek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2004-10-14-3-PUB.txt


Summary
=======

An HTTP response splitting vulnerability (see [1]) exists in JRun
server session management. It allows an attacker to issue an arbitrary
HTTP header (e.g., a session cookie) or HTTP body (e.g., causing a
cross site scripting) to a browser.


Product Coverage
================

- JRun 4 for Windows, Service Pack 1a - affected

All updaters applied, up to and excluding JRun4 Updater 4.
Other versions may also be affected.


Analysis
========

Using HTTP response splitting, it is possible to arbitrarily modify server's
response. This feature can be used very effectively for poisoning HTTP proxy
servers' cache (see [1]), for for session fixation (see [2]) and cross site
scripting attacks.


Solution
========

Macromedia has issued a security bulletin [3] and published JRun4 Updater 4,
which fixes this issue. Affected users can download the updater from
http://www.macromedia.com/support/jrun/updaters.html


References
==========

[1] Amit Klein, "Divide and Conquer"
http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf

[2] ACROS Security, "Session Fixation Vulnerability in Web-based
Applications"
http://www.acrossecurity.com/papers/session_fixation.pdf

[3] Macromedia Security Bulletin MPSB04-08
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html


Acknowledgments
===============

We would like to acknowledge Macromedia for response to our notification of
the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

October 14, 2004: Initial release


Copyright
=========

(c) 2004 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    45 Files
  • 9
    Dec 9th
    9 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close