RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Keith.Morgan (Keith.Morganat_private)
Date: Thu Aug 30 2001 - 07:00:19 PDT

  • Next message: Thorat_private: "Re: Windows NT does not check permissions after HANDLEs are open"

    I've always had a problem with using cookies or session variables for
    authentication mechanisms.  These rely on client-side output.  Session
    variables in IIS are really just temporary cookies.  I could get into a
    whole rant about "best practices" regarding cookies, session auth etc... but
    that's not really the purpose of my reply.  
    
    What I really want to know is, how does apache deal with cookies, sessions,
    etc...  Has anyone tested to see if apache will accept user supplied cookie
    values?
    
    > -----Original Message-----
    > From: Jeff Jancula [mailto:Jeffat_private]
    > Sent: Wednesday, August 29, 2001 2:26 PM
    > To: vuln-devat_private
    > Subject: Web session tracking security prob. Vulnerable: IIS and
    > ColdFusion (maybe others)
    > 
    > 
    > SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS.
    > 
    > On February 20, 2001 we reported the following problem (with 
    > specifics to IIS and SITESERVER) to the Microsoft Security 
    > Response Center.
    > 
    > On March 22, 2001 we also reported a similar problem to 
    > Allaire (now Macromedia) for ColdFusion.
    > 
    > Approximately 2-3 weeks after reporting to appropriate 
    > vendors, we also reported these vulnerabilities to CERT.ORG.
    > 
    > PROBLEM DESCRIPTIONS:
    > 
    > Microsoft Internet Information Server (IIS) and Site Server 
    > do not verify that session cookie values were actually issued 
    > by the server. An Internet user can generate their own 
    > session cookie, which will be accepted as valid by these 
    > servers. An attacker could use cross-site scripting 
    > vulnerabilities to generate a modified session cookie, with a 
    > predictable session value, then use the predetermined session 
    > value to later take over (impersonate) other users.
    <snip>
     
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:25:13 PDT