Microsoft Internet Information Server 7.0 potential security flaw which exposes private data and functions to unauthorized persons.
A potential security flaw exists in Microsoft Internet Information Server 7.0 where IIS may issue the same ASP-Session-Id to all http requested until the site’s process is recycled. This is a very serious IIS flaw which can potentially expose private data to unauthorized persons. Below is an image-link of an IIS server having issued the same ASP-Session-Id to 6 sessions. There were actually thousands of sessions that were issued the same ASP-Session-Id for this one occurrence prior to being alerted to the problem. Given the ramifications this problem can cause, you would expect that IIS would have some built in capability to unconditionally avoid this problem but apparently does not. Imagine your site visitors (customers) viewing some other customer’s private data or gaining access to what would otherwise be unauthorized functions. These site visitor could only conclude that this site’s security is flawed and not a place for him/her to do business with. Microsoft Internet Information Server 7.0 potential security flaw which exposes private data and functions to unauthorized persons. Event log @ link below: http://www.bradner.com/images/msiissecurityflawduplicatesessionids.gif
March 11th, 2011 10:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics