ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Join ZDNet's roundtable on datacentres

Resources Downloads

Download Now

Microsoft IIS4 "Session ID Cookie Marking" Vulnerability Patch (MS00-080)


License Free
Requirements Windows NT 4.0, Internet Information server 4.0
Downloads 123 Limitations None
Publisher Microsoft File Size 2.7M
Date added 26 Oct 2000 Check your speed

This patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.

IIS supports the use of a session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.

The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).

See the FAQ for more information.

Download Now

Did you find this download useful?
21 out of 40 users found this download useful


People who downloaded this software also downloaded...

Web Form SPAM Protection 1.5.1

Protect your files against spam spiders by encrypting your Web form code.

More info +


Sa4o - SafestMail4Outlook 2

Protect your e-mail against unsolicited messages and spams.

More info +


SolidShare 2.6.11

Connect anyone on your network to the Internet with one ISP account and one modem.

More info +


RIP Killer Popup Blocker 3.12

Keep your surfing private while stopping annoying pop-ups and Flash ads.

More info +


SpyWall Anti-Spyware 1.4.3.1

Remove spyware and keep them out with a browser sandbox.

More info +


Cute Password Manager 2008.1.3.8

Log into Web sites and fill forms with just a few mouse clicks.

More info +


Safe AutoLogon 1.5.93

Save Windows account information encrypted in AES/Triple-DES and log on automatically.

More info +


n-Pass2Go 2.7.0.465

Store and manage your passwords and encrypted data on any removable device.

More info +


Watch N Catch 1.0

Protect your assets with an IP-based video surveillance system.

More info +


EasyCryptor 1

Encrypt and decrypt any files and send results to your e-mail address.

More info +




Download

Embarcadero Power SQL

Embarcadero PowerSQL simplifies SQL development for application developers with many features for improving productivity and reducing errors.

  • Downloads: 4,794
  • Requirements:
  • License: Vendor registration required
  • Publisher: Embarcadero
  • Size: 0

Download Now

Sentry Posts Blog

Nasa and the virus

Yesterday the BBC ran a story about a computer virus making it into orbit, which I read with incredulity. OK, it's a nice silly season story on the surface, but what really got me was... More

3 comments

Customer data found on eBay server hig...

The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/...m).... More

Post a comment

Does it matter if you are an aardvark...

In spam terms, apparently it does. According to Cambridge University security expert Richard Clayton, if your email address is aardvark at animal.net, you are more likely to receive... More

5 comments

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec