QwikSec

Security Database

CVE

CWE

Training

CVE-2007-6077

Published: Nov 21, 2007

Modified: Aug 7, 2024

PUBLISHED

Description

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_VUPEN

third-party-advisory

x_refsource_CERT

third-party-advisory

x_refsource_SECUNIA

third-party-advisory

x_refsource_SECUNIA

http://dev.rubyonrails.org/changeset/8177

x_refsource_CONFIRM

APPLE-SA-2007-12-17

vendor-advisory

x_refsource_APPLE

vdb-entry

x_refsource_BID

http://docs.info.apple.com/article.html?artnum=307179

x_refsource_CONFIRM

http://dev.rubyonrails.org/ticket/10048

x_refsource_CONFIRM

vdb-entry

x_refsource_VUPEN

http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.