Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
From: Jeff Jancula (Jeff@Jancula.com)Date: 09/03/01
- Previous message: Vince Hillier: "Re: SSH 2.4.0/3.0.1 usernames guessable ?"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <00a701c134b9$903a0480$a600000a@Jancula.com> From: "Jeff Jancula" <Jeff@Jancula.com> To: "Keith.Morgan" <Keith.Morgan@Terradon.com> Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) Date: Mon, 3 Sep 2001 16:46:53 -0400
Keith,
I tested BEA's WebLogic and IBM's Websphere - there were NOT vulnerable.
Jeff
----- Original Message -----
From: "Keith.Morgan" <Keith.Morgan@Terradon.com>
To: "'Jeff Jancula'" <Jeff@Jancula.com>
Cc: <vuln-dev@securityfocus.com>
Sent: Thursday, August 30, 2001 10:00 AM
Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
> I've always had a problem with using cookies or session variables for
> authentication mechanisms. These rely on client-side output. Session
> variables in IIS are really just temporary cookies. I could get into a
> whole rant about "best practices" regarding cookies, session auth etc... but
> that's not really the purpose of my reply.
>
> What I really want to know is, how does apache deal with cookies, sessions,
> etc... Has anyone tested to see if apache will accept user supplied cookie
> values?
>
> > -----Original Message-----
> > From: Jeff Jancula [mailto:Jeff@Jancula.com]
> > Sent: Wednesday, August 29, 2001 2:26 PM
> > To: vuln-dev@securityfocus.com
> > Subject: Web session tracking security prob. Vulnerable: IIS and
> > ColdFusion (maybe others)
> >
> >
> > SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS.
> >
> > On February 20, 2001 we reported the following problem (with
> > specifics to IIS and SITESERVER) to the Microsoft Security
> > Response Center.
> >
> > On March 22, 2001 we also reported a similar problem to
> > Allaire (now Macromedia) for ColdFusion.
> >
> > Approximately 2-3 weeks after reporting to appropriate
> > vendors, we also reported these vulnerabilities to CERT.ORG.
> >
> > PROBLEM DESCRIPTIONS:
> >
> > Microsoft Internet Information Server (IIS) and Site Server
> > do not verify that session cookie values were actually issued
> > by the server. An Internet user can generate their own
> > session cookie, which will be accepted as valid by these
> > servers. An attacker could use cross-site scripting
> > vulnerabilities to generate a modified session cookie, with a
> > predictable session value, then use the predetermined session
> > value to later take over (impersonate) other users.
> <snip>
>
- Previous message: Vince Hillier: "Re: SSH 2.4.0/3.0.1 usernames guessable ?"
- Next in thread: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Reply: Jeff Jancula: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
