Virtual Hosts: http://www.dsd.net
Session Cookie: MANTIS_secure_session
URL: /bugs/login.php
Details:
Ruby on Rails Session Fixation Vulnerability
Severity: Medium
PCI Status: Fail
CVE: CVE-2007-5380, CVE-2007-6007
Description:
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
Remediation:
Upgrade to Ruby on Rails version 1.2.6 or newer and set 'config.action_controller.session_options[:cookie_only]' to
'true' in the 'config/environment.rb' file (if it is not already).
When I check my server for Ruby on Rails, it tells me this:
# ruby --version
ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux]
# rails --version
The program 'rails' is currently not installed. You can install it by typing:
apt-get install rails
I wonder if this scan issue report is bullshit, or if I have to install rails at all?
In fact, Mantis works without any (other) issues on my server since years.
Can some Mantis nerd give me any hint on these questions?
