IBM WebSphere Application Server Predictable Session Cookies

2001-09-19T07:44:37
ID OSVDB:5492
Type osvdb
Reporter Mark Heuse (marc@suse.de)
Modified 2001-09-19T07:44:37

Description

Vulnerability Description

IBM's WebSphere Application Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the server issues cookies in a predictable manner, allowing trivial brute force guessing of arbitrary user sessions, resulting in a loss of confidentiality and integrity.

Technical Description

Most of the session ID is static and the characters which are variable are not entirely random. This is further compounded by the fact that the session ID is composed of alphanumeric(A-Z, 0-9) characters, so WebSphere cycles through a limited range of possibilities (36 combinations possible per char). Consequently, the sequence number may be easily anticipated.

Solution Description

Upgrade to version 4.X or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): apply the fix PQ47663V302 available via the Vendor URL

Short Description

IBM's WebSphere Application Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the server issues cookies in a predictable manner, allowing trivial brute force guessing of arbitrary user sessions, resulting in a loss of confidentiality and integrity.

References:

Vendor URL: http://www-306.ibm.com/software/info1/websphere/index.jsp?tab=products/appserv Other Advisory URL: http://securitytracker.com/alerts/2001/Sep/1002437.html Other Advisory URL: http://securitytracker.com/alerts/2001/Oct/1002513.html Other Advisory URL: http://news.netcraft.com/archives/2003/01/01/security_advisory_2001011_predictable_session_ids.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0168.html Keyword: session IDs Keyword: hijack ISS X-Force ID: 7153 CVE-2001-0962 Bugtraq ID: 3349