RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Norman Cook (normancookat_private)
Date: Thu Aug 30 2001 - 09:30:59 PDT

  • Next message: Marc Slemko: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"

    Some good explanations were dicussed on www-mobile-code list recently
    I think.
    
    http://www.securityfocus.com/templates/archive.pike?start=2001-08-12&end=2001-08-18&list=107&threads=0&
    
    I am not too familiar with Cold Fusion, however, if you run ASP (Active
    Server Page) Applications on your IIS Server, the server issues a Session
    ID to each new session.  This is how ASP maintains state across web pages.
     I assume it's the same concept for ColdFusion.
    
    This is an Automatic process for ID generation that I rather random ...
    so theoretically (as MS always likes to put it) yes, they could steal
    a Session ID, but you would have to guess it first, and that would be
    akin to attempting to hijack a TCP/IP session using a guessed TCP/IP
    sequence number.
    
    John Hicks
    
    -----Original Message-----
    From: Lincoln Yeoh [mailto:lyeohat_private]
    Sent: Thursday, August 30, 2001 1:35 AM
    To: Jeff Jancula; vuln-devat_private
    Subject: Re: Web session tracking security prob. Vulnerable: IIS and
    ColdFusion (maybe others)
    
    
    At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
    >BACKGROUND:
    >
    >When a Internet browser user visits IIS or ColdFusion hosted web sites,
    the web server issues browser commands similar to:
    >
    >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP
    >(for CF)  Set-Cookie: CFID=123
    >(for CF)  Set-Cookie: CFTOKEN=4567890
    >
    >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN"
    
    >values
    with each subsequent request to the web server. IIS and ColdFusion use
    these values to identify and track each user.
    >
    
    What does CFID=123 mean to cold fusion? Is that the user/session ID?
    
    Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING
    and Cold Fusion will think it's the same user/session?
    
    If it does then it's a very big problem. If it doesn't, then it may not
    be a problem unless your application assumes that just having a session
    means it's a valid user.
    
    Cheerio,
    Link.
    
    
    __________________________________________________
    FREE voicemail, email, and fax...all in one place.
    Sign Up Now! http://www.onebox.com
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 10:09:19 PDT