I've always had a problem with using cookies or session variables for authentication mechanisms. These rely on client-side output. Session variables in IIS are really just temporary cookies. I could get into a whole rant about "best practices" regarding cookies, session auth etc... but that's not really the purpose of my reply. What I really want to know is, how does apache deal with cookies, sessions, etc... Has anyone tested to see if apache will accept user supplied cookie values? > -----Original Message----- > From: Jeff Jancula [mailto:Jeffat_private] > Sent: Wednesday, August 29, 2001 2:26 PM > To: vuln-devat_private > Subject: Web session tracking security prob. Vulnerable: IIS and > ColdFusion (maybe others) > > > SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. > > On February 20, 2001 we reported the following problem (with > specifics to IIS and SITESERVER) to the Microsoft Security > Response Center. > > On March 22, 2001 we also reported a similar problem to > Allaire (now Macromedia) for ColdFusion. > > Approximately 2-3 weeks after reporting to appropriate > vendors, we also reported these vulnerabilities to CERT.ORG. > > PROBLEM DESCRIPTIONS: > > Microsoft Internet Information Server (IIS) and Site Server > do not verify that session cookie values were actually issued > by the server. An Internet user can generate their own > session cookie, which will be accepted as valid by these > servers. An attacker could use cross-site scripting > vulnerabilities to generate a modified session cookie, with a > predictable session value, then use the predetermined session > value to later take over (impersonate) other users. <snip>
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:25:13 PDT