SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Sesame Vendors:  OpenRDF.org
Sesame Initialization Flaw in SesameServlet.setSessionContext() Lets a Remote User Access Another User's Account
SecurityTracker Alert ID:  1009978
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 29 2004
Impact:  User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.0
Description:  A vulnerability was reported in Sesame. A remote user may be able to gain access to repositories of other users that are currently logged in.

The vendor reported that there is a flaw in SesameServlet.setSessionContext(), where user information is stored in a SessionContext object and bound to a specific thread via a ThreadLocal object. Because Tomcat 5 reuses threads, a remote user that connects to the system may be able to gain complete access a target user's account.
Impact:  A remote user may be able to gain access to another user's account.
Solution:  The vendor has released a fixed version (1.0.1), available at:

http://sourceforge.net/project/showfiles.php?group_id=46509&package_id=40257&release_id=234477
Vendor URL:  www.openRDF.org/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 29 Apr 2004 07:26:17 -0400
Subject:  http://www.openrdf.org/

 

http://www.openRDF.org/

 > Sesame 1.0.1 has been released today. This version fixes four issues that have found
 > in version 1.0. The most important fix is for a security issue that allowed anonymous
 > users to gain full access to repositories of other users that were logged in. As a
 > result, we strongly advise everyone to upgrade their installation to version 1.0.1.


http://sourceforge.net/project/shownotes.php?release_id=234477

 > - [SES-32] A bug in one of Sesame's servlets allowed anonymous
 >   users to gain full access to repositories of other users that
 >   were logged in. This issue surfaced on Tomcat 5, which reuses
 >   threads to handle requests.


Fix:

http://sourceforge.net/project/showfiles.php?group_id=46509&package_id=40257&release_id=23447
7


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC