0

I have scanned my website on TrustWave for PCI Compliance and foud this error

Apache HTTP Server mod_session_dbd Session ID Reuse Vulnerability

My website is running on Windows Server 2008 R2 Enterprise on Apache Server 2.4.4(On XAMPP)

Following link is the Patch to fix this issue but unable to locate the location of the file to edit

 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h

as suggested by http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249

Can any one guide me please !

Best regards !

vanurag
  • 297
  • 2
  • 19

1 Answers1

0

this vulnerability is on the lastest version of apache so there is nothing to upgrade

if you have installed this version of apache on redHat-Enterprise (version:4 or 5 or 6) so your are not affected

if no :

this vulneravility is about session_start(); $_session(); whene session_id is set by the php there is no session_expired that renew the session_id 

Solution:

dont use this module session_start(); and wait fot he new update of the apache that's all and there is nothing to Carry about

Hichem
  • 1,111
  • 11
  • 30
  • @vanurag yes really and you can use it without carry too , but if you know that your server is populated for cracking and hacking (Commercial usage) dont use this module and use `setcookie("cookiename","cookievalue");` in the place of `session_start();` – Hichem Nov 19 '13 at 13:27