• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability

Severity: LOW

Description:

Under certain circumstances, Microsoft IIS will transmit the plaintext contents of Session ID Cookies that should be marked as secure.

A website may require state information so that it can distinguish one user over another, especially if it undergoes a great deal of traffic load. This is especially prevalent in the case of e-commerce sites in order to keep track of an individuals shopping order, etc. as they browse from page to page. Session ID Cookies may be used as a method to acquire state information. It maintains the identity of a user as they browse a site.

When a user initiates a SSL secured web session, Session ID Cookies should be marked as secure from there on (see RFC 2109 for reference: http://www.ietf.org/rfc/rfc2109.txt). This is not the case if the user visits an ASP page hosted on IIS. In the event that a user views an ASP document during a secure web session, the Session ID Cookie would then be marked as insecure. Once the user were to visit a non-secure portion of the website, a malicious third party who had access to the network traffic between the user and the website would be able to read the contents of the cookie since it would be sent in plaintext. The attacker would then be able to use the credentials from the Session ID Cookie to successfully hijack the session and take any further actions under the identity of the original user.

Affected Products:

• Cisco Building Broadband Service Manager 5.0.0
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco ICS 7750 0.0.0
• Cisco IP/VC 3540 Video Rate Matching Module 0.0.0
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Microsoft BackOffice 4.0.0
• Microsoft BackOffice 4.5.0
• Microsoft IIS 4.0.0
• Microsoft IIS 5.0
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows NT 4.0 Option Pack

References:

• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS00-080)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.