RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

From: Jon Zobrist (kgbat_private)
Date: Fri Aug 31 2001 - 07:05:54 PDT

Next message: wwieserat_private: "Re: solaris gdb screen mayhem"

Previous message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Michael J. Cannon: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
Next in thread: Lincoln Yeoh: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wouldn't blame Cold Fusion for making this easier, it's a developer's job
to use their tool correctly. Allaire recommends scoping all variables all
the time, and this would avoid a variable from the URL scope being used
instead of one from the Session scope (where the real CFID and CFTOKEN are).


-Jon

<snip>
> ColdFusion makes this attack even easier, because it allows its session
tracking variables to be specified on the URL line. So, an attacker could
force a predictable cookie value by passing a user a link, via e-mail,
another web site, or as a bookmark. For example:
>
>  http://www.MyColdFusion.net?CFID=123&CFTOKEN=1111111
>


<snip>

Next message: wwieserat_private: "Re: solaris gdb screen mayhem"
Previous message: Kevin Fu: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"
In reply to: Michael J. Cannon: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
Next in thread: Lincoln Yeoh: "Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 08:53:16 PDT