Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

From: Jeff Jancula (Jeffat_private)
Date: Wed Aug 29 2001 - 22:38:11 PDT

  • Next message: Keith.Morgan: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

    As best I can tell, CFID is not the user ID - as it is usually the same for all visitors to the web site. I can only guess that it's more like a server ID. CFTOKEN is the actual session number. Note: These two cookies (or parameters) are for ColdFusion ONLY.
    
    IIS uses something similar called ASPSESSIONID. With ASPSESSIONID, the first group of 8 characters is the same for all visitors. Again, I believe this portion of ASPSESSIONID is a server identifier, and the remaining 16 characters make up the actual session number.
    
    ColdFusion chose to separate the two, whereas IIS chose to combine them.
    
    If I send you a link similar to https://someserver.com?CFID=101&CFTOKEN=99999, and then later we both visit the web site, using the same (or similar) links; the server will consider us to be the same user session. If I time it right, then I should wait for YOU to login, so I don't have to. In effect, I can become your clone (in a web sense).
    
    Jeff
    
    
    ----- Original Message ----- 
    From: "Lincoln Yeoh" <lyeohat_private>
    To: "Jeff Jancula" <Jeffat_private>; <vuln-devat_private>
    Sent: Thursday, August 30, 2001 1:35 AM
    Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
    
    
    > At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
    > >BACKGROUND:
    > >
    > >When a Internet browser user visits IIS or ColdFusion hosted web sites,
    > the web server issues browser commands similar to:
    > >
    > >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
    > >(for CF)  Set-Cookie: CFID=123
    > >(for CF)  Set-Cookie: CFTOKEN=4567890
    > >
    > >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
    > with each subsequent request to the web server. IIS and ColdFusion use
    > these values to identify and track each user.
    > >
    > 
    > What does CFID=123 mean to cold fusion? Is that the user/session ID?
    > 
    > Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and
    > Cold Fusion will think it's the same user/session?
    > 
    > If it does then it's a very big problem. If it doesn't, then it may not be
    > a problem unless your application assumes that just having a session means
    > it's a valid user.
    > 
    > Cheerio,
    > Link.
    > 
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:23:05 PDT