Vulnerability Development mailing list archives

Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

From: "Jeff Jancula" <Jeff () Jancula com>
Date: Thu, 30 Aug 2001 01:38:11 -0400

As best I can tell, CFID is not the user ID - as it is usually the same for all visitors to the web site. I can only 
guess that it's more like a server ID. CFTOKEN is the actual session number. Note: These two cookies (or parameters) 
are for ColdFusion ONLY.

IIS uses something similar called ASPSESSIONID. With ASPSESSIONID, the first group of 8 characters is the same for all 
visitors. Again, I believe this portion of ASPSESSIONID is a server identifier, and the remaining 16 characters make up 
the actual session number.

ColdFusion chose to separate the two, whereas IIS chose to combine them.

If I send you a link similar to https://someserver.com?CFID=101&CFTOKEN=99999, and then later we both visit the web 
site, using the same (or similar) links; the server will consider us to be the same user session. If I time it right, 
then I should wait for YOU to login, so I don't have to. In effect, I can become your clone (in a web sense).

Jeff


----- Original Message ----- 
From: "Lincoln Yeoh" <lyeoh () pop jaring my>
To: "Jeff Jancula" <Jeff () Jancula com>; <vuln-dev () securityfocus com>
Sent: Thursday, August 30, 2001 1:35 AM
Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:

BACKGROUND:

When a Internet browser user visits IIS or ColdFusion hosted web sites,

the web server issues browser commands similar to:


(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
(for CF)  Set-Cookie: CFID=123
(for CF)  Set-Cookie: CFTOKEN=4567890

The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values

with each subsequent request to the web server. IIS and ColdFusion use
these values to identify and track each user.


What does CFID=123 mean to cold fusion? Is that the user/session ID?

Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
Cold Fusion will think it's the same user/session?

If it does then it's a very big problem. If it doesn't, then it may not be
a problem unless your application assumes that just having a session means
it's a valid user.

Cheerio,
Link.

Current thread:

Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jeff Jancula (Aug 29)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Michael J. Cannon (Aug 29)
  - RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jon Zobrist (Aug 31)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Lincoln Yeoh (Aug 30)
  - Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Jeff Jancula (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) nagilum (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Marc Slemko (Aug 30)