- Quick specs
- Price: Free
- Operating system: Windows NT
- Date added: October 25, 2000
- Total Downloads: 1,803
- Downloads last week: 2
- See full specifications
- Average user rating: stars out of 1 votes
See all user reviews
Publisher's description
From Microsoft :This patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.
IIS supports the use of a session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.
The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).
See the FAQ for more information.
More popular Corporate Security Software downloads
- 2,262 downloads 1. Folder Guard
- 1,069 downloads 2. L0phtCrack
- 749 downloads 3. McAfee Total Protection for Small Business
- 683 downloads 4. Spyware Doctor Enterprise Free Edition
- 489 downloads 5. Wireshark
- See all Corporate Security Software downloads
User reviews
Write your own review Be the first one to review Microsoft IIS4 "Session ID Cookie Marking" Vulnerability Patch (MS00-080) and share your experience with the CNET community!
Previous versions: See all user reviews
Submit your review
- See more CNET content tagged:
- Microsoft ASP,
- Microsoft IIS Server,
- cookie,
- malicious user,
- session
