Vulnerability Development mailing list archives
Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
From: Kevin Fu <fubob () MIT EDU>
Date: Thu, 30 Aug 2001 14:45:46 -0400
Here's information about how CFTOKEN and CFID work. Below is a snippet of technical information that Allaire Corporation sent me. My research group has documented stuff related to this on http://cookies.lcs.mit.edu/. -------- Kevin E. Fu (fubob () mit edu) PGP key: https://snafu.fooworld.org/~fubob/pgp.html ------- Forwarded Message 1) From the ColdFusion 4.5.1 SP2 Release Notes:
CFID is assigned sequentially per machine. The entire value must consist of all decimal digits (0-9). CFTOKEN - by default assigned as a random long integer. The value range is 0 < x < 2,147,483,647. ColdFusion no longer validates any part of this token, allowing users to re-assign this to any value they choose. However, by setting the registry key HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\ Clients\ UuidToken to be the string value "1", ColdFusion assigns CFTOKENS using the same random number concatenated with a UUID, which is guaranteed to be globally unique. We use the random number to avoid simple guessing of the uuids, since only a small portion of a uuid changes with each assignment, and to make database lookups more efficient. A typical CFTOKEN using this method looks like this: 57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5 If you turn on the UuidToken switch and you are storing client variable information in a database, you will need to increase the column width of the 'cfid' column in the CDATA and CGLOBAL tables. You should change the current width of 20 characters to at least 50 characters, due to the increased length of CFTOKEN. You may also have to change other applications if they are storing the CFTOKEN value in a fixed length field.
2) I looked into the algorithm we use to generate the random number. The answer from our lead developer for ColdFusion is:
We use a random number generator from the book Algorithms in C, p513 by Sedgewick
Our lead developer does not think the random number generator is cryptographically secure. ... ------- End of Forwarded Message
Current thread:
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Norman Cook (Aug 30)
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Jose Nazario (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)