You are here
Session fixation attack on Apache Tomcat 6
Last update on 12. March 2014 - 11:07.
Apache Tomcat 6.0.33 to 6.0.37 does not consider the disableURLRewriting setting when handling a session id in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL (CVE-2014-0033) [1].
The configuration center of Airlock 4.2 is not affected because regular logins to the configuration center always generate a session cookie. As a consequence, additional session IDs in URLs will be ignored by Tomcat. Airlock 5 is not affected since Tomcat 7 is used.
If you are using an affected Tomcat 6 version and want to prevent session IDs in URLs we recommend to upgrade Tomcat to version 6.0.39 (and setting disableURLRewriting to true [2]) or to upgrade to Version 7 where session IDs in URLs are disabled by default.
If you can't upgrade your Tomcat 6 back-end and therefore can not disable session IDs in URLs (which is enabled by default in Tomcat 6) you can protect the back-end with Airlock by applying one of the following approaches:
- Enable URL encryption - this helps not only against this vulnerability but enhances the security in general
- Remove all jsession IDs in HTTP responses by configuring a rewriting rule on the affected Tomcat Mapping. Further configure a deny rule to prevent jsession IDs in HTTP request paths. Configuration details:
- Rewriting Rule
Create a new Rewrite Response Body (HTML only) rule with the URL pattern ;jsessionid=[[:xdigit:]]+ and blank Replace with field on the affected mapping. Screenshot of the rewrite rule (click on image to enlarge):
- Deny Rule
Create a new deny rule with the pattern ;jsessionid= and enable the deny rule on the affected mapping. Screenshot of the deny rule (click on image to enlarge):
- Rewriting Rule