Detections
Analytics

VHCS PHPSESSID Cookie Session Fixation

medium Nessus Plugin ID 25990

Language:

Synopsis

The remote web server contains a PHP application that is affected by a session fixation issue.

Description

The remote host is running VHCS, a control panel for hosting providers.

The GUI portion of the version of VHCS installed on the remote host accepts session identifiers from GET (and likely POST) variables, which makes it susceptible to a session fixation attack. An attacker may be able to exploit this issue to gain access to the affected application using a known session identifier if he can trick a user into logging in, say, via a specially crafted link.

Solution

Unknown at this time.

See Also

https://seclists.org/bugtraq/2007/Jul/231

Plugin Details

Severity: Medium

ID: 25990

File Name: vhcs_session_fixation.nasl

Version: 1.19

Type: remote

Family: CGI abuses

Published: 9/5/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2007-3988

BID: 25006

CWE: 287