RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)

From: Jon Zobrist (kgbat_private)
Date: Fri Aug 31 2001 - 07:05:54 PDT

  • Next message: wwieserat_private: "Re: solaris gdb screen mayhem"

    I wouldn't blame Cold Fusion for making this easier, it's a developer's job
    to use their tool correctly. Allaire recommends scoping all variables all
    the time, and this would avoid a variable from the URL scope being used
    instead of one from the Session scope (where the real CFID and CFTOKEN are).
    
    
    -Jon
    
    <snip>
    > ColdFusion makes this attack even easier, because it allows its session
    tracking variables to be specified on the URL line. So, an attacker could
    force a predictable cookie value by passing a user a link, via e-mail,
    another web site, or as a bookmark. For example:
    >
    >  http://www.MyColdFusion.net?CFID=123&CFTOKEN=1111111
    >
    
    
    <snip>
    



    This archive was generated by hypermail 2b30 : Fri Aug 31 2001 - 08:53:16 PDT