Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Kevin Fu (fubobat_private)
Date: Thu Aug 30 2001 - 11:45:46 PDT

Next message: Jon Zobrist: "RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"

Previous message: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Next in thread: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here's information about how CFTOKEN and CFID work.  Below is a
snippet of technical information that Allaire Corporation sent me.

My research group has documented stuff related to this on
http://cookies.lcs.mit.edu/.

--------
Kevin E. Fu (fubobat_private)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html

------- Forwarded Message
1) From the ColdFusion 4.5.1 SP2 Release Notes:
>>> CFID is assigned sequentially per machine. The entire value 
>>> must consist of all decimal digits (0-9). 
>>> CFTOKEN - by default assigned as a random long integer. The 
>>> value range is 0 < x < 2,147,483,647. ColdFusion no longer 
>>> validates any part of this token, allowing users to re-assign 
>>> this to any value they choose. 
>>> 
>>> However, by setting the registry key 
>>> HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\
>>> Clients\ UuidToken to be the string value "1", ColdFusion 
>>> assigns CFTOKENS using the same random number concatenated 
>>> with a UUID, which is guaranteed to be globally unique.
>>> 
>>> We use the random number to avoid simple guessing of the 
>>> uuids, since only a small portion of a uuid changes with each 
>>> assignment, and to make database lookups more efficient.
>>> 
>>> A typical CFTOKEN using this method looks like this: 
>>> 57c6419-f0c43bb2-9e8d-11d3-8b87-00c04fa35ba5
>>> 
>>> If you turn on the UuidToken switch and you are storing 
>>> client variable information in a database, you will need to 
>>> increase the column width of the 'cfid' column in the CDATA 
>>> and CGLOBAL tables. You should change the current width of 20 
>>> characters to at least 50 characters, due to the increased 
>>> length of CFTOKEN.
>>> 
>>> You may also have to change other applications if they are 
>>> storing the CFTOKEN value in a fixed length field.

2) I looked into the algorithm we use to generate the random number.  The
answer from our lead developer for ColdFusion is:

> We use a random number generator from the book
>     Algorithms in C, p513 by Sedgewick

Our lead developer does not think the random number generator is
cryptographically secure.

...

------- End of Forwarded Message

Next message: Jon Zobrist: "RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
Previous message: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Norman Cook: "RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Next in thread: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 16:36:14 PDT