CVE-2000-0970

Name of the Vulnerable Software and Affected Versions IIS versions 4.0 through 5.0

Description The issue allows remote attackers to hijack a secure web session of a user if that user moves to an insecure session. This occurs because .ASP pages send the same Session ID cookie for both secure and insecure web sessions.

Recommendations For IIS versions 4.0 through 5.0, consider restricting access to secure web sessions to minimize the risk of exploitation. As a temporary workaround, avoid using the same Session ID cookie for secure and insecure web sessions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.