Session ID Cookie Marking Vulnerability
A security vulnerability exists in Microsoft® Internet Information Server which could allow a malicious user to “hijack” another user’s secure web session.
Issue
IIS supports the use of a Session ID cookie to track the current session identifier for a web session. However, .ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user’s session with the secure page. At that point, he could take any action on the secure page that the user could take.
Affected Products
- Microsoft IIS 4.0 & 5.0
Solution
Software patches are available from the following locations:
- IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q274149 - IIS 5.0:
http://www.microsoft.com/Windows2000/downloads/critical/q274149
Further Details
Source: Microsoft Corporation
Updated: November 20, 2000
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
 |
 |
|
More Guides » | Registry Guide | Support Forums | Software Guide | Scripting Guide | Search |  | |
