Ruby on Rails Multiple Method Session Fixation
Medium Nessus Plugin ID 28333
SynopsisThe remote web server is affected by a session fixation vulnerability.
DescriptionThe web server on the remote host appears to be a version of Ruby on Rails that supports URL-based sessions. An unauthenticated, remote attacker may be able to leverage this issue to obtain an authenticated session.
Note that Ruby on Rails version 1.2.4 was initially supposed to address this issue, but its session fixation logic only works for the first request, when CgiRequest is first instantiated.
SolutionUpgrade to Ruby on Rails version 1.2.6 or later and make sure 'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file.