Summary #

Invicti detected that the session.use_trans_sid is enabled.

Impact #

When session.use_trans_sid is enabled, PHP will pass the session ID via the URL.

By using this vulnerability, an attacker can:

  • perform session hijacking attack
  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application
Actions To Take #

To disable session.use_trans_sid, you can set it to 'off' in the php.ini configuration file or alternatively in .htaccess.

  • php.ini:
    register_globals = 'off'
  • .htaccess:
    php_flag register_globals off
Classifications #
CWE-598; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo