Internet Information Server, as most web servers, support the use of session ID cookies. However, .ASP does not support the creation of secure session cookies. As a result, the same session ID cookies are used for secure (SSL) and non-secure sessions. Under certain circumstances this would allow a malicious user to hijack a users secure session. VENDOR RESPONSE Microsoft has released a security advisory, MS00-0080 and the following patches are available; Internet Information Server 4.0: Internet
Information Server 5.0: CREDIT |
0 comments
Hide comments