Oracle WebLogic Server Servlet Container Session Fixation

medium Nessus Plugin ID 52756

Synopsis

A web server running on the remote host has a session fixation vulnerability.

Description

The version of Oracle WebLogic Server running on the remote host has a session fixation vulnerability.

A remote attacker could exploit this by tricking a user into making a specially crafted POST request. This would allow the attacker to hijack the user's session.

Solution

Apply the relevant patch referenced by the Oracle advisory.

See Also

http://www.nessus.org/u?e08549d8

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

Plugin Details

Severity: Medium

ID: 52756

File Name: weblogic_session_fixation.nasl

Version: 1.10

Type: remote

Family: Web Servers

Published: 3/22/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:oracle:weblogic_server

Required KB Items: www/weblogic

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/18/2011

Vulnerability Publication Date: 1/18/2011

Reference Information

CVE: CVE-2010-4437

BID: 45852