Ruby on Rails Multiple Method Session Fixation

This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by a session fixation vulnerability.

Description :

The web server on the remote host appears to be a version of Ruby on
Rails that supports URL-based sessions. An unauthenticated, remote
attacker may be able to leverage this issue to obtain an authenticated

Note that Ruby on Rails version 1.2.4 was initially supposed to
address this issue, but its session fixation logic only works for the
first request, when CgiRequest is first instantiated.

See also :

Solution :

Upgrade to Ruby on Rails version 1.2.6 or later and make sure
'config.action_controller.session_options[:cookie_only]' is set to
'true' in the 'config/environment.rb' file.

Risk factor :

Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.6
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 28333 ()

Bugtraq ID: 26096

CVE ID: CVE-2007-5380