Ruby on Rails Multiple Method Session Fixation

Medium Nessus Plugin ID 28333


The remote web server is affected by a session fixation vulnerability.


The web server on the remote host appears to be a version of Ruby on Rails that supports URL-based sessions. An unauthenticated, remote attacker may be able to leverage this issue to obtain an authenticated session.

Note that Ruby on Rails version 1.2.4 was initially supposed to address this issue, but its session fixation logic only works for the first request, when CgiRequest is first instantiated.


Upgrade to Ruby on Rails version 1.2.6 or later and make sure 'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file.

See Also

Plugin Details

Severity: Medium

ID: 28333

File Name: ror_session_fixation.nasl

Version: $Revision: 1.14 $

Type: remote

Family: Web Servers

Published: 2007/11/28

Modified: 2012/07/30

Dependencies: 10107, 10386

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:rubyonrails:ruby_on_rails

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2007-5380, CVE-2007-6077

BID: 26096, 26598

OSVDB: 39193, 40718

CWE: 362