Hi, During the scan of project open application, I got the following vulnerability: Medium Session Identifier Not Updated Issue: 13800882 Severity: Medium URL: https://<server_name>/register/ Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Do not accept externally created session identifiers though the fix is mentioned but it is not sufficient for me to understand it completely.please guide me how should I remove this.Also let me know if any further details are needed to understand the question.
seesion_id remains same even after user logs in in application successfully,but the application is supposed to update session_id in this case, which is causing security threat. the file /web/projop/packages/acs-tcl/tcl/security-procs.tcl contains the session_id creation code. but since I don't know how to reflect the change in TCL. I found the following code which does the same but it's in java.
public HttpSession changeSessionIdentifier(HttpServletRequest request) throws AuthenticationException { // get the current session HttpSession oldSession = request.getSession(); // make a copy of the session content Map<String,Object> temp = new ConcurrentHashMap<String,Object>(); Enumeration e = oldSession.getAttributeNames(); while (e != null && e.hasMoreElements()) { String name = (String) e.nextElement(); Object value = oldSession.getAttribute(name); temp.put(name, value); } // kill the old session and create a new one oldSession.invalidate(); HttpSession newSession = request.getSession(); User user = ESAPI.authenticator().getCurrentUser(); user.addSession( newSession ); user.removeSession( oldSession ); // copy back the session content for (Map.Entry<String, Object> stringObjectEntry : temp.entrySet()){ newSession.setAttribute(stringObjectEntry.getKey(), stringObjectEntry.getValue()); } return newSession; }
P.S.please let me know if you need any further explanation.
CGM Hi, unfortunately most Tcl users have never heard of Project-Open, so you are not very likely to find help here. I would suggest you post your question on the project-open forum at http://sourceforge.net/p/project-open/discussion/295937 . Or since it probably relates to the OpenACS infrastructure as much as the project-open application you could try an openacs forum.