Why security Scan on Red Hat Satellite 5.6 gives the following result "Session Identifier Not Updated"?

Solution Verified - Updated -

Issue

  • While running security scan on Red Hat satellite 5.6, gives the below result:
Issue: Session Identifier Not Updated
Risk(s):
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Fix:
Change session identifier values after login

Testing case:


Reasoning:
    This content may expose sensitive information.
Request/Response:
    POST /rhn/LoginSubmit.do;jsessionid=9F4CAB1C17E69337B970A22DF0DB5F43 HTTP/1.1
    Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-
    xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
    Referer: https://test.example.com/rhn/Login.do
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Content-Type: application/x-www-form-urlencoded
    Host: test.example.com
    Content-Length: 82
    DNT: 1
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: JSESSIONID=9F4CAB1C17E69337B970A22DF0DB5F43; CP_GUTC=XXX.XXX.XXX.XXX.1403034549457528;
    Apache=XXX.XXX.XXX.XXX.1403041341871126; v1st=BEC0EDA2B4A19A7C; CDCountryCookie=en_US; CDTheaterCookie="United States
    & Canada"; CDLanguageCookie=en_US; s_nr=1407430855069-Repeat;
    ObSSOCookie=RkET6hHDoLm4fPx2aqKF26Y%2Fa91waBAASUmzwhos5FNHp%2FIIPqDWTdi7fFBRsL7LqvskZJnPD10ZBp1ziRYqJMD5ZVluwVgrE
    4EndX3vFTnvKq3jaxrtu%2B84QbgZcU2hzkiSMmcjdd70xsxZEIT7zx45uEzFK1nM4l%2FvKeFDQg7jvZUBhxGxfukM6P2cAQFKa7NumcgIzneaZv
    pAG4UpP6NZET%2BExjUlmbXbgvL6NdS82HonzHo6KePBg3iMRzg87S3kQJ%2Fzrk5J4%2Bj8HzCEhE41BVf%2BOwtEyo7O37V%2BQ265HspLb6Ryb
    idGGRuwRzm9wa74oX1LBBZc7A3%2FJycp2%2FnLRd3mEYxw4bPPIXurALs%3D
    csrf_token=7629059496510537188&username=test&password=%password%3F&login_cb=login
    HTTP/1.0 200 OK
    Date: Tue, 19 Aug 2014 23:28:32 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 4746
    Connection: close
    --------------------------------------------------------------------------------
    GET /rhn/YourRhn.do HTTP/1.0
    Cookie: JSESSIONID=5ACEC76708658CEA0000F08A36D230C7; CP_GUTC=173.37.111.55.1403034549457528;
    Apache=XXX.XXX.XXX.XXX.1403041341871126; v1st=BEC0EDA2B4A19A7C; CDCountryCookie=en_US; CDTheaterCookie="United States
    & Canada"; CDLanguageCookie=en_US; s_nr=1407430855069-Repeat;
    ObSSOCookie=RkET6hHDoLm4fPx2aqKF26Y%2Fa91waBAASUmzwhos5FNHp%2FIIPqDWTdi7fFBRsL7LqvskZJnPD10ZBp1ziRYqJMD5ZVluwVgrE
    4EndX3vFTnvKq3jaxrtu%2B84QbgZcU2hzkiSMmcjdd70xsxZEIT7zx45uEzFK1nM4l%2FvKeFDQg7jvZUBhxGxfukM6P2cAQFKa
    ...

Environment

  • Red Hat Satellite 5.6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content