|
|
CVE Reference: CVE-2007-6077 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2007-6077 |
|
|
Description: The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. |
|
|
CVE Status: Candidate |
|
|
References: SAID Secunia Advisory: SA27781 Secunia Advisory: SA28136 CONFIRM http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release http://dev.rubyonrails.org/ticket/10048 http://dev.rubyonrails.org/changeset/8177 http://docs.info.apple.com/article.html?artnum=307179 CERT http://www.us-cert.gov/cas/techalerts/TA07-352A.html BID 26598 APPLE http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html |
|
| Return to the previous page. |
