• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• RSS
• News
• Vulns
• Product Search

• info
• discussion
• exploit
• solution
• references

Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability

Under certain circumstances, Microsoft IIS will transmit the plaintext contents of Session ID Cookies that should be marked as secure.

A website may require state information so that it can distinguish one user over another, especially if it undergoes a great deal of traffic load. This is especially prevalent in the case of e-commerce sites in order to keep track of an individuals shopping order, etc. as they browse from page to page. Session ID Cookies may be used as a method to acquire state information. It maintains the identity of a user as they browse a site.

When a user initiates a SSL secured web session, Session ID Cookies should be marked as secure from there on (see RFC 2109 for reference: http://www.ietf.org/rfc/rfc2109.txt). This is not the case if the user visits an ASP page hosted on IIS. In the event that a user views an ASP document during a secure web session, the Session ID Cookie would then be marked as insecure. Once the user were to visit a non-secure portion of the website, a malicious third party who had access to the network traffic between the user and the website would be able to read the contents of the cookie since it would be sent in plaintext. The attacker would then be able to use the credentials from the Session ID Cookie to successfully hijack the session and take any further actions under the identity of the original user.