Soluciones para vulnerabilidades

La exploración de vulnerabilidades periódica de Nimsoft Cloud Monitor busca la vulnerabilidad siguiente. Para ver las soluciones añadidas más recientemente que Nimsoft Cloud Monitor explora, visite Soluciones para vulnerabilidades.

Categoría: Web Servers Factor de riesgo: High Añadido: 18 mar 2010
Synopsis:

The remote web application may be vulnerable to a session fixation
attack.

Description:

The remote web application uses cookies to track authenticated users. If the session cookie is already present before authentication, it remains unchanged after a successful login. That is, only server-side variables are updated.

Session cookies are expected to be unpredictable in a secure web application. If HTTP cookies can be manipulated (by injecting client- side JavaScript for example), then the attacker does not have to break the pseudo-random generator, and the web application is vulnerable to a 'session fixation' attack.

See also:

http://en.wikipedia.org/wiki/Session_fixation
http://www.owasp.org/index.php/Session_Fixation

Solution:

Fix the application so that the session cookie is re-generated after successful authentication.

Risk factor:

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)