RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
From: Keith.Morgan (Keith.Morgan@Terradon.com)Date: 08/30/01
- Previous message: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Hicks, John: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Hicks, John: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <C9E878EC530BD4118AE60050DAB6B7324555DB@V_KING> From: "Keith.Morgan" <Keith.Morgan@Terradon.com> To: 'Jeff Jancula' <Jeff@Jancula.com> Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Date: Thu, 30 Aug 2001 10:00:19 -0400
I've always had a problem with using cookies or session variables for
authentication mechanisms. These rely on client-side output. Session
variables in IIS are really just temporary cookies. I could get into a
whole rant about "best practices" regarding cookies, session auth etc... but
that's not really the purpose of my reply.
What I really want to know is, how does apache deal with cookies, sessions,
etc... Has anyone tested to see if apache will accept user supplied cookie
values?
> -----Original Message-----
> From: Jeff Jancula [mailto:Jeff@Jancula.com]
> Sent: Wednesday, August 29, 2001 2:26 PM
> To: vuln-dev@securityfocus.com
> Subject: Web session tracking security prob. Vulnerable: IIS and
> ColdFusion (maybe others)
>
>
> SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS.
>
> On February 20, 2001 we reported the following problem (with
> specifics to IIS and SITESERVER) to the Microsoft Security
> Response Center.
>
> On March 22, 2001 we also reported a similar problem to
> Allaire (now Macromedia) for ColdFusion.
>
> Approximately 2-3 weeks after reporting to appropriate
> vendors, we also reported these vulnerabilities to CERT.ORG.
>
> PROBLEM DESCRIPTIONS:
>
> Microsoft Internet Information Server (IIS) and Site Server
> do not verify that session cookie values were actually issued
> by the server. An Internet user can generate their own
> session cookie, which will be accepted as valid by these
> servers. An attacker could use cross-site scripting
> vulnerabilities to generate a modified session cookie, with a
> predictable session value, then use the predetermined session
> value to later take over (impersonate) other users.
<snip>
- Previous message: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Next in thread: Hicks, John: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Hicks, John: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Reply: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
