I wouldn't blame Cold Fusion for making this easier, it's a developer's job to use their tool correctly. Allaire recommends scoping all variables all the time, and this would avoid a variable from the URL scope being used instead of one from the Session scope (where the real CFID and CFTOKEN are). -Jon <snip> > ColdFusion makes this attack even easier, because it allows its session tracking variables to be specified on the URL line. So, an attacker could force a predictable cookie value by passing a user a link, via e-mail, another web site, or as a bookmark. For example: > > http://www.MyColdFusion.net?CFID=123&CFTOKEN=1111111 > <snip>
This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 08:53:16 PDT