Facebook
Twitter
M
md3vxx
Guest
Does anyone know how to correctly disable session fixation within Plesk?
I have defined:
session.use_cookies = 1
session.use_only_cookies = 1
Within /usr/local/psa/admin/conf/php.ini and restarted the Plesk server service:
/etc/init.d/sw-cp-server restart
But Plesk continues to be vulnerable:
REQUEST https://my.server.net:8443/?PHPSESSID=0123456789abcdef0123456789abcdef
GET /?PHPSESSID=0123456789abcdef0123456789abcdef HTTP/1.1
Host: my.server.net:8443
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: PHPSESSID=0123456789abcdef0123456789
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Expires: Thu, 16 Dec 2010 11:47:58 GMT, Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=2592000, post-check=0, pre-check=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Tue, 16 Nov 2010 11:47:58 GMT
P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA"
Set-Cookie: PHPSESSID=0123456789abcdef0123456789abcdef; path=/
Pragma: no-cache
Content-Type: text/html
Date: Tue, 16 Nov 2010 11:47:58 GMT
Server: sw-cp-server/1.0.0
As you can see the server fixes the cookie (Set-Cookie) ssent by the client. You can run this server using the Firefox Live Headers plugin.
I am writing a PCI 2.0 compliance document for Plesk based on the original, http://www.md3v.com/pci-compliance-for-parallels-plesk, but am unable to resolve this issue.
Christopher.
I have defined:
session.use_cookies = 1
session.use_only_cookies = 1
Within /usr/local/psa/admin/conf/php.ini and restarted the Plesk server service:
/etc/init.d/sw-cp-server restart
But Plesk continues to be vulnerable:
REQUEST https://my.server.net:8443/?PHPSESSID=0123456789abcdef0123456789abcdef
GET /?PHPSESSID=0123456789abcdef0123456789abcdef HTTP/1.1
Host: my.server.net:8443
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: PHPSESSID=0123456789abcdef0123456789
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Expires: Thu, 16 Dec 2010 11:47:58 GMT, Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=2592000, post-check=0, pre-check=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Tue, 16 Nov 2010 11:47:58 GMT
P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA"
Set-Cookie: PHPSESSID=0123456789abcdef0123456789abcdef; path=/
Pragma: no-cache
Content-Type: text/html
Date: Tue, 16 Nov 2010 11:47:58 GMT
Server: sw-cp-server/1.0.0
As you can see the server fixes the cookie (Set-Cookie) ssent by the client. You can run this server using the Firefox Live Headers plugin.
I am writing a PCI 2.0 compliance document for Plesk based on the original, http://www.md3v.com/pci-compliance-for-parallels-plesk, but am unable to resolve this issue.
Christopher.
