RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Hicks, John (JHicks@JUSTICE.GC.CA)
Date: 08/30/01 

Message-ID: <527F8A5A9998D411953400508BAC4993B35C9D@fa1md001.justice.gc.ca>
From: "Hicks, John" <JHicks@JUSTICE.GC.CA>
To: vuln-dev@securityfocus.com
Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
Date: Thu, 30 Aug 2001 11:23:39 -0400

I am not too familiar with Cold Fusion, however, if you run ASP (Active
Server Page) Applications on your IIS Server, the server issues a Session ID
to each new session. This is how ASP maintains state across web pages. I
assume it's the same concept for ColdFusion.

This is an Automatic process for ID generation that I rather random ... so
theoretically (as MS always likes to put it) yes, they could steal a Session
ID, but you would have to guess it first, and that would be akin to
attempting to hijack a TCP/IP session using a guessed TCP/IP sequence
number.

John Hicks

-----Original Message-----
From: Lincoln Yeoh [mailto:lyeoh@pop.jaring.my]
Sent: Thursday, August 30, 2001 1:35 AM
To: Jeff Jancula; vuln-dev@securityfocus.com
Subject: Re: Web session tracking security prob. Vulnerable: IIS and
ColdFusion (maybe others)

At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
>BACKGROUND:
>
>When a Internet browser user visits IIS or ColdFusion hosted web sites,
the web server issues browser commands similar to:
>
>(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
>(for CF) Set-Cookie: CFID=123
>(for CF) Set-Cookie: CFTOKEN=4567890
>
>The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
with each subsequent request to the web server. IIS and ColdFusion use
these values to identify and track each user.
>

What does CFID=123 mean to cold fusion? Is that the user/session ID?

Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
Cold Fusion will think it's the same user/session?

If it does then it's a very big problem. If it doesn't, then it may not be
a problem unless your application assumes that just having a session means
it's a valid user.

Cheerio,
Link.

Relevant Pages

  • Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
    ... Web session tracking security prob. ... pdf files and other copyrighted data that rely on IIS' ... > Microsoft Internet Information Server and Site Server do not ...
    (Vuln-Dev)
  • Re: session state variables expiring too quickly
    ... since you have set your session timeout for 120 minutes. ... > because my ASP.Net host doesn't support running a state server on the ... > I'm developing the app on my local IIS Web server and then using Visual ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: CGI under IIS throws away printf on multiple posts.
    ... IIS is not throwing away anything. ... will have to implement in CGI, by taking a server-side lock to prevent the ... session from performing the operation a second consecutive time. ... "application session" (IIS is a high-performance server. ...
    (microsoft.public.inetserver.iis)
  • Re: Multiple instances of app under IIs and global com object - is it a problem?
    ... If IIS has, say, a pool of 25 threads, and your ASP Sessions do not exhibit ... objects) then you may not be looking at the same data when your next request ... This is why Session-level variables were provided -- in the Session ... this multiplicity of Module-level data means that you cannot ...
    (microsoft.public.vb.com)
  • Re: Multiple instances of app under IIs and global com object - is it a problem?
    ... If IIS has, say, a pool of 25 threads, and your ASP Sessions do not exhibit ... objects) then you may not be looking at the same data when your next request ... This is why Session-level variables were provided -- in the Session ... this multiplicity of Module-level data means that you cannot ...
    (microsoft.public.vb.general.discussion)