| VID |
21958 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Web server has a URL embedding the session ID (URL rewriting).
Many web sites support the idea of user sessions - each user connecting to the site is issued with a unique session ID, which is then used to identify all subsequent requests made by that user. Typically a session ID is generated at the beginning of the session, and the generated session can be maintained either by using cookies or by URL rewriting (embedding the session ID in the URL).
As URL rewriting is embedding the session ID in the URL, the session ID can be stored in the user browser history or server logs via the HTTP referer header. In case that an user is using a web proxy, the session ID will be logged in the proxy server. An attacker with access to this information can use it to perform a session hijacking attack, which can allow the attack to access the affected site with the privileges of a victim user.
* Note: This check solely relied on string pattern matching from all of the URLs with GET method to assess this vulnerability. The inspected patterns are:
PHPSESSION=, PHPSESSID=, JSESSIONID=, ASPSESSIONID=,
CFTOKEN=, JWSESSIONID=, WebLogicSession=, SESSIONID=
* References:
http://news.netcraft.com/archives/2003/01/index.html
http://archives.neohapsis.com/archives/sf/www-mobile/2005-q3/0138.html
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Make ensure that the affected script page does not contain links to external web sites, which cause it then will send the session ID in the HTTP referer header, and modify the script page to put session ID in secured session cookie. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
