Reported October 23, 2000 by Microsoft & ACROS Security

VERSIONS AFFECTED
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0

DESCRIPTION

Internet Information Server, as most web servers, support the use of session ID cookies.  However, .ASP does not support the creation of secure session cookies.  As a result, the same session ID cookies are used for secure (SSL) and non-secure sessions.  Under certain circumstances this would allow a malicious user to hijack a users secure session.

VENDOR RESPONSE

Microsoft has released a security advisory, MS00-0080 and the following patches are available;

Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25233

Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25232

CREDIT
Discovered by
ACROS Security