Vulnerability Development mailing list archives

RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: "Norman Cook" <normancook () onebox com>
Date: Thu, 30 Aug 2001 09:30:59 -0700

Some good explanations were dicussed on www-mobile-code list recently
I think.

http://www.securityfocus.com/templates/archive.pike?start=2001-08-12&end=2001-08-18&list=107&threads=0&;

I am not too familiar with Cold Fusion, however, if you run ASP (Active
Server Page) Applications on your IIS Server, the server issues a Session
ID to each new session.  This is how ASP maintains state across web pages.
 I assume it's the same concept for ColdFusion.

This is an Automatic process for ID generation that I rather random ...
so theoretically (as MS always likes to put it) yes, they could steal
a Session ID, but you would have to guess it first, and that would be
akin to attempting to hijack a TCP/IP session using a guessed TCP/IP
sequence number.

John Hicks

-----Original Message-----
From: Lincoln Yeoh [mailto:lyeoh () pop jaring my]
Sent: Thursday, August 30, 2001 1:35 AM
To: Jeff Jancula; vuln-dev () securityfocus com
Subject: Re: Web session tracking security prob. Vulnerable: IIS and
ColdFusion (maybe others)


At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:

BACKGROUND:

When a Internet browser user visits IIS or ColdFusion hosted web sites,

the web server issues browser commands similar to:


(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
(for CF)  Set-Cookie: CFID=123
(for CF)  Set-Cookie: CFTOKEN=4567890

The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN"

values

with each subsequent request to the web server. IIS and ColdFusion use
these values to identify and track each user.


What does CFID=123 mean to cold fusion? Is that the user/session ID?

Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING
and Cold Fusion will think it's the same user/session?

If it does then it's a very big problem. If it doesn't, then it may not
be a problem unless your application assumes that just having a session
means it's a valid user.

Cheerio,
Link.


__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

Current thread:

RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Norman Cook (Aug 30)
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Jose Nazario (Aug 30)
  - Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Dug Song (Aug 30)
  - Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)