Windows · Free download · Servers
eliminates a security vulnerability in Microsoft Internet Information Server which could allow a malicious user to steal a user's secure Web session under a very restricted set of circumstances.
231 downloads·425 page views
Overview
eliminates a security vulnerability in Microsoft Internet Information Server which could allow a malicious user to steal a user's secure Web session under a very restricted set of circumstances.
In depth
If a user initiates a session with a secure Web page, a session ID cookie is generated and sent to the user, protected by SSL (Secure Sockets Layer). But if the user subsequently visits a non-secure page on the same site, the same session ID cookie is exchanged, but this time in plain text.
Any malicious user who has complete control over the communications channel could access the plain text session ID cookie and use it to connect to the user’s session with the secure page and take any action on the secure page that is available to the user.
The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user’s communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page.
The patch eliminates the vulnerability by adding support for secure session ID cookies in ASP pages.
Verdict
Microsoft IIS 4.0 Session ID Cookie Marking Vulnerability Patch runs on Windows NT and is available under the Freeware license — the installer is 3 MB. We’ve catalogued it under Servers.
At a glance
Help fellow users decide. Share your experience with Microsoft IIS 4.0 Session ID Cookie Marking Vulnerability Patch.