You are here

V-155: Apache Tomcat FORM Authenticator Lets Remote Users Conduct Session Fixation Attacks

May 14, 2013 - 12:08am

Addthis

PROBLEM:

Apache Tomcat FORM Authenticator Lets Remote Users Conduct Session Fixation Attacks

PLATFORM:

Tomcat 6.0.21 to 6.0.36, 7.0.0 to 7.0.32

ABSTRACT:

A vulnerability was reported in Apache Tomcat.

REFERENCE LINKS:

Apache Tomcat
SecurityTracker Alert ID:  1028534
CVE-2013-2067

IMPACT ASSESSMENT:

High

DISCUSSION:

A remote user can repeatedly send a specially crafted request for a resource requiring authentication while the target user is completing the login form to cause the FORM authentication process to execute the remote user's request with the privileges of the target user.

IMPACT:

A remote user can conduct session fixation attacks.

SOLUTION:

The vendor has issued a fix (6.0.37, 7.0.33).

Addthis