We just received this as a result of a security audit:
Finding: Session Token In URL
Category: Coding Practice
Description: The URL in the request contains a session token within the query string Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Remediation: The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Test Notes: See Finding: Session Fixation. Below is a copy of the request and response received during testing.
POST /FileVistaControl/upload.aspx?rootFolderID=0&relativePath=New+Folder%2fpentest&ASP.NET_SessionId=idph03riotfcn5qloausxvm5&FT.Active=1&FT.OverrideProvider=1&FT.UploadID=13547255765589165 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
Content-Type: multipart/form-data; boundary=----------Ef1KM7Ij5Ij5ei4Ef1ei4ae0cH2ei4
1/14/2013 6:39 AM
I see that you are using a very old version (earlier than v2.1) of FileUltimate (old name was FileVistaControl). The cookies were added to the URL for handling the Flash cookie bug. However in later versions we found a better workaround and cookies are not visible in the URL. I recommend you to upgrade.
1/14/2013 7:22 AM
it looks like we are using Version 1.9, from March 22, 2010.
will ask my boss to get the upgrade details.
1/14/2013 8:11 AM