Internet Information Server is Vulnerable to Session Hijacking


Reported October 23, 2000 by Microsoft & ACROS Security

VERSIONS AFFECTED
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0

DESCRIPTION

Internet Information Server, as most web servers, support the use of session ID cookies.  However, .ASP does not support the creation of secure session cookies.  As a result, the same session ID cookies are used for secure (SSL) and non-secure sessions.  Under certain circumstances this would allow a malicious user to hijack a users secure session.

VENDOR RESPONSE

Microsoft has released a security advisory, MS00-0080 and the following patches are available;

Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25233

Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25232

CREDIT
Discovered by
ACROS Security

 
TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish