SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Macromedia JRun Vendors:  Macromedia
Macromedia JRun May Generate Duplicate Authentication Tokens in Certain Cases
SecurityTracker Alert ID:  1014489
SecurityTracker URL:  http://securitytracker.com/id?1014489
CVE Reference:  CVE-2005-2306   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 15 2005
Impact:  User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Macromedia Security Bulletin
Version(s): 4.0
Description:  A vulnerability was reported in Macromedia JRun. A remote authenticated user may be able to obtain session information from another user.

Under high load situations, the target server may assign the same authentication token to two different sessions. In this case, two remote authenticated users may be able to share information from a single user session.

The vendor indicates that this occurs rarely and cannot be triggered by a remote user.

The vendor credits Greg Ball from the University of Virginia with reporting this vulnerability.

ColdFusion MX 6.1 Enterprise with JRun and ColdFusion MX 7.0 Enterprise Multi-Server Edition are also affected.
Impact:  A remote authenticated user may be able to obtain session information belonging to another user.
Solution:  The vendor has issued a fix for JRun 4.0, available at:

http://download.macromedia.com/pub/security/mpsb05-05.zip
Vendor URL:  www.macromedia.com/devnet/security/security_zone/mpsb05-05.html (Links to External Site)
Cause:  Authentication error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 14 Jul 2005 23:36:42 -0400
Subject:  http://www.macromedia.com/devnet/security/security_zone/mpsb05-05.html

 
 
 
> MPSB05-05 - Security Patch available for JRun 4.0 token collision
 
> Under high load, JRun may generate two sessions with the same authentication token. 
> This cannot be controlled by an attacker and it occurs very rarely, but it may cause 
> two authenticated users to share information from a single user session.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC