Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

From: Lincoln Yeoh (lyeohat_private)
Date: Wed Aug 29 2001 - 22:35:08 PDT

  • Next message: Kayne Ian (Softlab): "RE: Outlook makes 99% CPU Usage with this message"

    At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
    >BACKGROUND:
    >
    >When a Internet browser user visits IIS or ColdFusion hosted web sites,
    the web server issues browser commands similar to:
    >
    >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
    >(for CF)  Set-Cookie: CFID=123
    >(for CF)  Set-Cookie: CFTOKEN=4567890
    >
    >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
    with each subsequent request to the web server. IIS and ColdFusion use
    these values to identify and track each user.
    >
    
    What does CFID=123 mean to cold fusion? Is that the user/session ID?
    
    Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
    Cold Fusion will think it's the same user/session?
    
    If it does then it's a very big problem. If it doesn't, then it may not be
    a problem unless your application assumes that just having a session means
    it's a valid user.
    
    Cheerio,
    Link.
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 07:59:05 PDT