Bug#393073: Please consider one more security issue before going to
testing
Tiago Bortoletto Vaz
tiagovaz at safernet.org.br
Tue Feb 6 20:44:14 CET 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory ID : FrSIRT/ADV-2007-0497
Jetty Insecure Random Number Generation and Session ID Prediction
Vulnerability
Reference:
http://www.frsirt.com/english/advisories/2007/0497
Technical Description:
A vulnerability has been identified in Jetty, which could be exploited
by remote attackers to bypass security restrictions. This issue is due
to a design error where session identifiers generated via the
"java.util.Random" class are easily predictable, which could be
exploited by remote attackers to hijack a user's session and gain
unauthorized access to a vulnerable application.
thanks,
- --
Tiago Bortoletto Vaz
SaferNet Brasil
http://www.safernet.org.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFyNqOaQ1iFKUE/soRAk5SAJ4gkpODLwHeJxgsxUP2Fumzs0ifkgCfeyyS
NF+16XVjZpWepGYBuIUSjYg=
=jT5B
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list