Me and my colleague (http://reply-to-all.blogspot.ru/)
performed research and figured out vulnerability in Jenkins CI and Hudson CI
software. Versions of Jenkins prior to 1.534 and versions of Hudson prior to 3.0.0
are vulnerable as they use Winstone servlet engine in default installation. Winstone
servlet engine implements weak algorithm for generating session identifiers.
Remote attacker could predict valid session identifiers to hijack user sessions
and gain unauthorized access to the application running above Winstone. Valid
login and password are not necessary for intruder to perform such attack.
To cope with this issue the solution is to use
Jenkins version 1.534 and above, Hudson version 3.0.0 and above which use Jetty
by default. Another possible solution is to run application server software that
use robust session id generation algorithm like Tomcat or Jetty.
We reported our findings to Jenkins CI community.
We reported our findings to Jenkins CI community.
Session hacking is a security attack which uses a session over a protected nework. it is important term in ethical hacking. learn about this learn hacking online
ОтветитьУдалитьUseful information on session hijacking.Learn Ethical Hacking Training
ОтветитьУдалить