PT-2007-6979 · Ruby · Ruby On Rails

Publicado

2007-11-21

Atualizado

2019-08-08

CVE-2007-6077

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails version 1.2.4

Description The session fixation protection mechanism in Ruby on Rails has an issue that allows remote attackers to conduct session fixation attacks. This is due to an incomplete fix for a previous issue, which causes the :cookie only attribute to be applied only to the first instantiation of CgiRequest.

Recommendations For Ruby on Rails version 1.2.4, consider applying a complete fix to the session fixation protection mechanism to prevent remote attackers from conducting session fixation attacks. As a temporary workaround, consider restricting access to sensitive areas of the application that rely on session fixation protection until a complete fix is applied.

Exploit

Correção

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-362

Identificadores relacionados

CVE-2007-6077

GHSA-P4C6-77GC-694X

Produtos afetados

Ruby On Rails

PT-2007-6979 · Ruby · Ruby On Rails

CVE-2007-6077

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 20