Ruby on Rails Multiple Method Session Fixation

This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a session fixation vulnerability.

Description :

The web server on the remote host appears to be a version of Ruby on
Rails that supports URL-based sessions. An unauthenticated, remote
attacker may be able to leverage this issue to obtain an authenticated
session.

Note that Ruby on Rails version 1.2.4 was initially supposed to
address this issue, but its session fixation logic only works for the
first request, when CgiRequest is first instantiated.

See also :

http://www.nessus.org/u?d4902c46
http://www.nessus.org/u?2f5b72e6
http://www.nessus.org/u?abd8800d
http://www.nessus.org/u?1eeea9de

Solution :

Upgrade to Ruby on Rails version 1.2.6 or later and make sure
'config.action_controller.session_options[:cookie_only]' is set to
'true' in the 'config/environment.rb' file.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 28333 ()

Bugtraq ID: 26096
26598

CVE ID: CVE-2007-5380
CVE-2007-6077