CWE-598
OWASP 2013-A5
OWASP 2017-A6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

PHP session.use_trans_sid Is Enabled

Severity:
Medium
Summary

Invicti detected that the session.use_trans_sid is enabled.

Impact

When session.use_trans_sid is enabled, PHP will pass the session ID via the URL.

By using this vulnerability, an attacker can:

  • perform session hijacking attack
  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application
Remediation
Required Skills for Successful Exploitation
Actions To Take

To disable session.use_trans_sid, you can set it to 'off' in the php.ini configuration file or alternatively in .htaccess.

  • php.ini:register_globals = 'off'
  • .htaccess:php_flag register_globals off
Classifications
CWE-598
OWASP 2013-A5
OWASP 2017-A6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Index

You can search and find all vulnerabilities

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Related Vulnerabilities

Featured resources

No items found.
No items found.
View all resources

Build your resistance to threats. And save hundreds of hours each month.

Get a Demo