IIS .ASP Session ID Disclosure and Hijacking

2000-10-23T00:00:00
ID OSVDB:7265
Type osvdb
Reporter C. Conrad Cady(), Ron Sires()
Modified 2000-10-23T00:00:00

Description

Vulnerability Description

Microsoft IIS contains a flaw that may allow a malicious user to access and hijack Session ID cookies. The issue is due to .ASP in IIS using the same Session ID cookies on secure and non-secure web pages. By controlling the communications channel and requesting the non-secure pages on the same website, a remote attacker can obtain the Session ID cookie in plaintext and use it to connect to the user's session with the secure page, resulting in a loss of confidentiality and integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft IIS contains a flaw that may allow a malicious user to access and hijack Session ID cookies. The issue is due to .ASP in IIS using the same Session ID cookies on secure and non-secure web pages. By controlling the communications channel and requesting the non-secure pages on the same website, a remote attacker can obtain the Session ID cookie in plaintext and use it to connect to the user's session with the secure page, resulting in a loss of confidentiality and integrity.

References:

Other Advisory URL: http://www.acros.si/aspr/ASPR-2000-07-22-1-PUB.txt Microsoft Security Bulletin: MS00-080 Keyword: aka the "Session ID Cookie Marking" vulnerability ISS X-Force ID: 5396 CVE-2000-0970 CIAC Advisory: l-010 Bugtraq ID: 1832