Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
From: Jeff Jancula (Jeff@Jancula.com)Date: 08/30/01
- Previous message: corecode: "Re: solaris gdb screen mayhem"
- In reply to: Lincoln Yeoh: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: nagilum@chillout.org: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <008301c13115$f5280740$a600000a@Jancula.com> From: "Jeff Jancula" <Jeff@Jancula.com> To: "Lincoln Yeoh" <lyeoh@pop.jaring.my>, <vuln-dev@securityfocus.com> Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Date: Thu, 30 Aug 2001 01:38:11 -0400
As best I can tell, CFID is not the user ID - as it is usually the same for all visitors to the web site. I can only guess that it's more like a server ID. CFTOKEN is the actual session number. Note: These two cookies (or parameters) are for ColdFusion ONLY.
IIS uses something similar called ASPSESSIONID. With ASPSESSIONID, the first group of 8 characters is the same for all visitors. Again, I believe this portion of ASPSESSIONID is a server identifier, and the remaining 16 characters make up the actual session number.
ColdFusion chose to separate the two, whereas IIS chose to combine them.
If I send you a link similar to https://someserver.com?CFID=101&CFTOKEN=99999, and then later we both visit the web site, using the same (or similar) links; the server will consider us to be the same user session. If I time it right, then I should wait for YOU to login, so I don't have to. In effect, I can become your clone (in a web sense).
Jeff
----- Original Message -----
From: "Lincoln Yeoh" <lyeoh@pop.jaring.my>
To: "Jeff Jancula" <Jeff@Jancula.com>; <vuln-dev@securityfocus.com>
Sent: Thursday, August 30, 2001 1:35 AM
Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
> At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
> >BACKGROUND:
> >
> >When a Internet browser user visits IIS or ColdFusion hosted web sites,
> the web server issues browser commands similar to:
> >
> >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
> >(for CF) Set-Cookie: CFID=123
> >(for CF) Set-Cookie: CFTOKEN=4567890
> >
> >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
> with each subsequent request to the web server. IIS and ColdFusion use
> these values to identify and track each user.
> >
>
> What does CFID=123 mean to cold fusion? Is that the user/session ID?
>
> Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
> Cold Fusion will think it's the same user/session?
>
> If it does then it's a very big problem. If it doesn't, then it may not be
> a problem unless your application assumes that just having a session means
> it's a valid user.
>
> Cheerio,
> Link.
>
- Previous message: corecode: "Re: solaris gdb screen mayhem"
- In reply to: Lincoln Yeoh: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: nagilum@chillout.org: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
