This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.
The remote web server is affected by a session fixation vulnerability.
The web server on the remote host appears to be a version of Ruby on
Rails that supports URL-based sessions. An unauthenticated, remote
attacker may be able to leverage this issue to obtain an authenticated
Note that Ruby on Rails version 1.2.4 was initially supposed to
address this issue, but its session fixation logic only works for the
first request, when CgiRequest is first instantiated.
See also :
Upgrade to Ruby on Rails version 1.2.6 or later and make sure
'config.action_controller.session_options[:cookie_only]' is set to
'true' in the 'config/environment.rb' file.
Risk factor :
Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.6
Public Exploit Available : true