New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitblit is vulnerable to session fixation #358

Closed

gitblit opened this issue Aug 12, 2015 · 4 comments

Assignees

Labels

🐱 Defect Priority-Medium Status-Fixed

Milestone

Collaborator

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 62

From the gitblit forum:

Gitblit accept url like
http://example.com/gitblit/;jsessionid=8EB3144A6XXXXXXXXX
and jsessionid doesn't change when user login.
So session fixation seems to be possible.

http://en.wikipedia.org/wiki/Session_fixation

Reported by James.Moger on 2012-02-09 13:28:59

The text was updated successfully, but these errors were encountered:

Collaborator Author

gitblit commented Aug 12, 2015

This is fixed on master for anyone who needs this sooner than later.

Reported by James.Moger on 2012-02-09 13:35:17

gitblit self-assigned this

gitblit added Priority-Medium Status-Fixed 🐱 Defect Milestone-0.9.0 labels

Collaborator Author

gitblit commented Aug 12, 2015

Reported by James.Moger on 2012-02-09 22:50:44

Status changed: Queued

Collaborator Author

gitblit commented Aug 12, 2015

Fixed in v0.9.1

Reported by James.Moger on 2012-03-28 00:02:10

Collaborator Author

gitblit commented Aug 12, 2015

Fixed in v0.9.1. Closing.

Reported by James.Moger on 2012-03-28 00:03:13

Status changed: Fixed

gitblit closed this as completed

flaix modified the milestone: 0.9.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment