Why security Scan on Red Hat Satellite 5.6 gives the following result "Session Identifier Not Updated"?
Issue
- While running security scan on
Red Hat satellite 5.6, gives the below result:
Issue: Session Identifier Not Updated
Risk(s):
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Fix:
Change session identifier values after login
Testing case:
Reasoning:
This content may expose sensitive information.
Request/Response:
POST /rhn/LoginSubmit.do;jsessionid=9F4CAB1C17E69337B970A22DF0DB5F43 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-
xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: https://test.example.com/rhn/Login.do
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Content-Type: application/x-www-form-urlencoded
Host: test.example.com
Content-Length: 82
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=9F4CAB1C17E69337B970A22DF0DB5F43; CP_GUTC=XXX.XXX.XXX.XXX.1403034549457528;
Apache=XXX.XXX.XXX.XXX.1403041341871126; v1st=BEC0EDA2B4A19A7C; CDCountryCookie=en_US; CDTheaterCookie="United States
& Canada"; CDLanguageCookie=en_US; s_nr=1407430855069-Repeat;
ObSSOCookie=RkET6hHDoLm4fPx2aqKF26Y%2Fa91waBAASUmzwhos5FNHp%2FIIPqDWTdi7fFBRsL7LqvskZJnPD10ZBp1ziRYqJMD5ZVluwVgrE
4EndX3vFTnvKq3jaxrtu%2B84QbgZcU2hzkiSMmcjdd70xsxZEIT7zx45uEzFK1nM4l%2FvKeFDQg7jvZUBhxGxfukM6P2cAQFKa7NumcgIzneaZv
pAG4UpP6NZET%2BExjUlmbXbgvL6NdS82HonzHo6KePBg3iMRzg87S3kQJ%2Fzrk5J4%2Bj8HzCEhE41BVf%2BOwtEyo7O37V%2BQ265HspLb6Ryb
idGGRuwRzm9wa74oX1LBBZc7A3%2FJycp2%2FnLRd3mEYxw4bPPIXurALs%3D
csrf_token=7629059496510537188&username=test&password=%password%3F&login_cb=login
HTTP/1.0 200 OK
Date: Tue, 19 Aug 2014 23:28:32 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 4746
Connection: close
--------------------------------------------------------------------------------
GET /rhn/YourRhn.do HTTP/1.0
Cookie: JSESSIONID=5ACEC76708658CEA0000F08A36D230C7; CP_GUTC=173.37.111.55.1403034549457528;
Apache=XXX.XXX.XXX.XXX.1403041341871126; v1st=BEC0EDA2B4A19A7C; CDCountryCookie=en_US; CDTheaterCookie="United States
& Canada"; CDLanguageCookie=en_US; s_nr=1407430855069-Repeat;
ObSSOCookie=RkET6hHDoLm4fPx2aqKF26Y%2Fa91waBAASUmzwhos5FNHp%2FIIPqDWTdi7fFBRsL7LqvskZJnPD10ZBp1ziRYqJMD5ZVluwVgrE
4EndX3vFTnvKq3jaxrtu%2B84QbgZcU2hzkiSMmcjdd70xsxZEIT7zx45uEzFK1nM4l%2FvKeFDQg7jvZUBhxGxfukM6P2cAQFKa
...
Environment
- Red Hat Satellite 5.6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
