PHP session.use_trans_sid Is Enabled
Severity: Medium
Summary #
Invicti detected that the session.use_trans_sid is enabled.
Impact #
When session.use_trans_sid is enabled, PHP will pass the session ID via the URL.
By using this vulnerability, an attacker can:
- perform session hijacking attack
- manipulate sensitive information
- leak sensitive information
- gain administrator access to the web application
Actions To Take #
To disable session.use_trans_sid, you can set it to 'off' in the php.ini configuration file or alternatively in .htaccess.
- php.ini:
register_globals = 'off' - .htaccess:
php_flag register_globals off
Classifications #
CWE-598; OWASP 2013-A5; OWASP 2017-A6
, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
