Survey: Hole in Java Server Pages ignored by many
Administrators of many electronic commerce Web sites have yet to plug a year-old security hole that allows malicious users to hijack another user's identity, according to a new survey by Web server information firm Netcraft Ltd.
Over a thousand transactional Web sites, including several high-profile ones, still use predictable session IDs, Netcraft said in the November issue of its monthly server survey, released Monday. The company first informed vendors about the vulnerability in November 2000, it said.
Session IDs are issued to users when they log in and used from then on to identify each page request. A user's ID is displayed in the Web browser address bar or stored on a user's hard disk in a cookie. In this case the IDs are encoded using a simple rule, making them easy to predict, Netcraft said. A malicious user would simply alter the address or cookie on their machine and take over somebody else's session.
The vulnerable systems all use Java Application Servers based on Sun Microsystems Inc.'s reference implementation of the Java Server Developers Kit (JSDK 2.0), Netcraft said. Affected are Java Web Server (JWS) from version 1.1, IBM Corp.'s WebSphere and various versions of Art Technology Group Inc.'s (ATG) Dynamo e-Business Platform, according to Netcraft.
Java Server Pages (JSP) aren't widely deployed by rank-and-file sites, but are often used in professional electronic-commerce Web sites that provide services such as stock trading, banking and ticketing, Netcraft said.
All vendors have fixes for the problem available, according to the original Netcraft security advisory, which can be read online at: http://www.netcraft.com/security/public-advisories/2001-01.1.html.
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
