SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Macromedia JRun Vendors:   Macromedia
Macromedia JRun May Generate Duplicate Authentication Tokens in Certain Cases
SecurityTracker Alert ID:  1014489
SecurityTracker URL:  http://securitytracker.com/id/1014489
CVE Reference:   CVE-2005-2306   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 15 2005
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0
Description:   A vulnerability was reported in Macromedia JRun. A remote authenticated user may be able to obtain session information from another user.

Under high load situations, the target server may assign the same authentication token to two different sessions. In this case, two remote authenticated users may be able to share information from a single user session.

The vendor indicates that this occurs rarely and cannot be triggered by a remote user.

The vendor credits Greg Ball from the University of Virginia with reporting this vulnerability.

ColdFusion MX 6.1 Enterprise with JRun and ColdFusion MX 7.0 Enterprise Multi-Server Edition are also affected.

Impact:   A remote authenticated user may be able to obtain session information belonging to another user.
Solution:   The vendor has issued a fix for JRun 4.0, available at:

http://download.macromedia.com/pub/security/mpsb05-05.zip

Vendor URL:  www.macromedia.com/devnet/security/security_zone/mpsb05-05.html (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC