Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Kevin Fu (fubobat_private)
Date: Thu Aug 30 2001 - 11:45:46 PDT

  • Next message: Jon Zobrist: "RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"

    Here's information about how CFTOKEN and CFID work.  Below is a
    snippet of technical information that Allaire Corporation sent me.
    
    My research group has documented stuff related to this on
    http://cookies.lcs.mit.edu/.
    
    --------
    Kevin E. Fu (fubobat_private)
    PGP key: https://snafu.fooworld.org/~fubob/pgp.html
    
    ------- Forwarded Message
    1) From the ColdFusion 4.5.1 SP2 Release Notes:
    >>> CFID is assigned sequentially per machine. The entire value 
    >>> must consist of all decimal digits (0-9). 
    >>> CFTOKEN - by default assigned as a random long integer. The 
    >>> value range is 0 < x < 2,147,483,647. ColdFusion no longer 
    >>> validates any part of this token, allowing users to re-assign 
    >>> this to any value they choose. 
    >>> 
    >>> However, by setting the registry key 
    >>> HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\
    >>> Clients\ UuidToken to be the string value "1", ColdFusion 
    >>> assigns CFTOKENS using the same random number concatenated 
    >>> with a UUID, which is guaranteed to be globally unique.
    >>> 
    >>> We use the random number to avoid simple guessing of the 
    >>> uuids, since only a small portion of a uuid changes with each 
    >>> assignment, and to make database lookups more efficient.
    >>> 
    >>> A typical CFTOKEN using this method looks like this: 
    >>> 57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5
    >>> 
    >>> If you turn on the UuidToken switch and you are storing 
    >>> client variable information in a database, you will need to 
    >>> increase the column width of the 'cfid' column in the CDATA 
    >>> and CGLOBAL tables. You should change the current width of 20 
    >>> characters to at least 50 characters, due to the increased 
    >>> length of CFTOKEN.
    >>> 
    >>> You may also have to change other applications if they are 
    >>> storing the CFTOKEN value in a fixed length field.
    
    2) I looked into the algorithm we use to generate the random number.  The
    answer from our lead developer for ColdFusion is:
    
    > We use a random number generator from the book
    >     Algorithms in C, p513 by Sedgewick
    
    Our lead developer does not think the random number generator is
    cryptographically secure.
    
    ...
    
    ------- End of Forwarded Message
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 16:36:14 PDT