Vulnerability Development mailing list archives

Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Kevin Fu <fubob () MIT EDU>
Date: Thu, 30 Aug 2001 14:45:46 -0400

Here's information about how CFTOKEN and CFID work.  Below is a
snippet of technical information that Allaire Corporation sent me.

My research group has documented stuff related to this on
http://cookies.lcs.mit.edu/.

--------
Kevin E. Fu (fubob () mit edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html

------- Forwarded Message
1) From the ColdFusion 4.5.1 SP2 Release Notes:

CFID is assigned sequentially per machine. The entire value 
must consist of all decimal digits (0-9). 
CFTOKEN - by default assigned as a random long integer. The 
value range is 0 < x < 2,147,483,647. ColdFusion no longer 
validates any part of this token, allowing users to re-assign 
this to any value they choose. 

However, by setting the registry key 
HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\
Clients\ UuidToken to be the string value "1", ColdFusion 
assigns CFTOKENS using the same random number concatenated 
with a UUID, which is guaranteed to be globally unique.

We use the random number to avoid simple guessing of the 
uuids, since only a small portion of a uuid changes with each 
assignment, and to make database lookups more efficient.

A typical CFTOKEN using this method looks like this: 
57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5

If you turn on the UuidToken switch and you are storing 
client variable information in a database, you will need to 
increase the column width of the 'cfid' column in the CDATA 
and CGLOBAL tables. You should change the current width of 20 
characters to at least 50 characters, due to the increased 
length of CFTOKEN.

You may also have to change other applications if they are 
storing the CFTOKEN value in a fixed length field.


2) I looked into the algorithm we use to generate the random number.  The
answer from our lead developer for ColdFusion is:

We use a random number generator from the book
    Algorithms in C, p513 by Sedgewick


Our lead developer does not think the random number generator is
cryptographically secure.

...

------- End of Forwarded Message

Current thread:

RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Norman Cook (Aug 30)
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Jose Nazario (Aug 30)
  - Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Dug Song (Aug 30)
  - Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)