A recent Webinspect security scan identified an issue in version TM ART 4.2.1, I assume its the same in older versions. Need to press BMC to provide a solution as soon as possible.
Session Fixation Vulnerability - Urgent
Details below, how canwe fix this? I see no session administration capabilities on the front-end server or in any of the config files. We are running IIS 7.5 however ASP.NET is not installed as TM ART deosn’t need ASP.NET therefore the Session Control feature in IIS is not available:
WebInspect has found a session fixation vulnerability on the site. <br /> Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID). This attack can occur when a web application:
<ul><li>Fails to supply a new, unique SID to a user following a successful authentication</li><li>Allows a user to provide the SID to be used after authenticating</li></ul> In a session fixation attack, the attacker creates or obtains a valid session identifier and causes the user to provide authentication credentials to the application along with the session identifier. If the application fails to renew this SID after the user logs in, the attacker can use the previously obtained/created value of this SID to clone the authenticated session. The attacker can continue to impersonate the victim user until the SID expires
The best way to prevent session fixation attacks is to renew the session ID when a user logs in. This fix can be done at the code level or framework level, depending on where the session management functionality is implemented.