Got a website where a security scan for PCI compliance has comeback with a fail for the following:
Web Server Generic Cookie Injection
Impact The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism. Please note that : - SecurityMetrics did not check if the session fixation attack is feasible. - This is not the only vector of session fixation. See also : http://en.wikipedia.org/wiki/Session_fixation http://www.owasp.org/index.php/Session_Fixation
I haven't been able to find much information about this error and gone round in circles about it. I'm assuming it's an cakephp issue.
Cheers
