Vulnerability Development mailing list archives
Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
From: "Jeff Jancula" <Jeff () Jancula com>
Date: Mon, 3 Sep 2001 16:46:53 -0400
Keith, I tested BEA's WebLogic and IBM's Websphere - there were NOT vulnerable. Jeff ----- Original Message ----- From: "Keith.Morgan" <Keith.Morgan () Terradon com> To: "'Jeff Jancula'" <Jeff () Jancula com> Cc: <vuln-dev () securityfocus com> Sent: Thursday, August 30, 2001 10:00 AM Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
I've always had a problem with using cookies or session variables for authentication mechanisms. These rely on client-side output. Session variables in IIS are really just temporary cookies. I could get into a whole rant about "best practices" regarding cookies, session auth etc... but that's not really the purpose of my reply. What I really want to know is, how does apache deal with cookies, sessions, etc... Has anyone tested to see if apache will accept user supplied cookie values?-----Original Message----- From: Jeff Jancula [mailto:Jeff () Jancula com] Sent: Wednesday, August 29, 2001 2:26 PM To: vuln-dev () securityfocus com Subject: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. On February 20, 2001 we reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security Response Center. On March 22, 2001 we also reported a similar problem to Allaire (now Macromedia) for ColdFusion. Approximately 2-3 weeks after reporting to appropriate vendors, we also reported these vulnerabilities to CERT.ORG. PROBLEM DESCRIPTIONS: Microsoft Internet Information Server (IIS) and Site Server do not verify that session cookie values were actually issued by the server. An Internet user can generate their own session cookie, which will be accepted as valid by these servers. An attacker could use cross-site scripting vulnerabilities to generate a modified session cookie, with a predictable session value, then use the predetermined session value to later take over (impersonate) other users.<snip>
Current thread:
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jeff Jancula (Sep 04)
- <Possible follow-ups>
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jeff Jancula (Sep 04)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jeff Jancula (Sep 14)