Ruby on Rails Multiple Method Session Fixation

This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a session fixation vulnerability.

Description :

The web server on the remote host appears to be a version of Ruby on
Rails that supports URL-based sessions. An unauthenticated, remote
attacker may be able to leverage this issue to obtain an authenticated
session.

Note that Ruby on Rails version 1.2.4 was initially supposed to
address this issue, but its session fixation logic only works for the
first request, when CgiRequest is first instantiated.

See also :

http://www.nessus.org/u?d4902c46
http://www.nessus.org/u?2f5b72e6
http://www.nessus.org/u?abd8800d
http://www.nessus.org/u?1eeea9de

Solution :

Upgrade to Ruby on Rails version 1.2.6 or later and make sure
'config.action_controller.session_options[:cookie_only]' is set to
'true' in the 'config/environment.rb' file.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 28333 ()

Bugtraq ID: 26096
26598

CVE ID: CVE-2007-5380
CVE-2007-6077

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial