1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk PCI 2 Compliance - Session Fixation

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by md3vxx, Nov 16, 2010.

  1. md3vxx

    md3vxx Guest

    0
     
    Does anyone know how to correctly disable session fixation within Plesk?

    I have defined:

    session.use_cookies = 1
    session.use_only_cookies = 1

    Within /usr/local/psa/admin/conf/php.ini and restarted the Plesk server service:

    /etc/init.d/sw-cp-server restart

    But Plesk continues to be vulnerable:

    REQUEST https://my.server.net:8443/?PHPSESSID=0123456789abcdef0123456789abcdef

    GET /?PHPSESSID=0123456789abcdef0123456789abcdef HTTP/1.1
    Host: my.server.net:8443
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive
    Cookie: PHPSESSID=0123456789abcdef0123456789

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Expires: Thu, 16 Dec 2010 11:47:58 GMT, Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: max-age=2592000, post-check=0, pre-check=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Last-Modified: Tue, 16 Nov 2010 11:47:58 GMT
    P3P: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA"
    Set-Cookie: PHPSESSID=0123456789abcdef0123456789abcdef; path=/
    Pragma: no-cache
    Content-Type: text/html
    Date: Tue, 16 Nov 2010 11:47:58 GMT
    Server: sw-cp-server/1.0.0

    As you can see the server fixes the cookie (Set-Cookie) ssent by the client. You can run this server using the Firefox Live Headers plugin.

    I am writing a PCI 2.0 compliance document for Plesk based on the original, http://www.md3v.com/pci-compliance-for-parallels-plesk, but am unable to resolve this issue.

    Christopher.
     
Loading...