Keith, I tested BEA's WebLogic and IBM's Websphere - there were NOT vulnerable. Jeff ----- Original Message ----- From: "Keith.Morgan" <Keith.Morganat_private> To: "'Jeff Jancula'" <Jeffat_private> Cc: <vuln-devat_private> Sent: Thursday, August 30, 2001 10:00 AM Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) > I've always had a problem with using cookies or session variables for > authentication mechanisms. These rely on client-side output. Session > variables in IIS are really just temporary cookies. I could get into a > whole rant about "best practices" regarding cookies, session auth etc... but > that's not really the purpose of my reply. > > What I really want to know is, how does apache deal with cookies, sessions, > etc... Has anyone tested to see if apache will accept user supplied cookie > values? > > > -----Original Message----- > > From: Jeff Jancula [mailto:Jeffat_private] > > Sent: Wednesday, August 29, 2001 2:26 PM > > To: vuln-devat_private > > Subject: Web session tracking security prob. Vulnerable: IIS and > > ColdFusion (maybe others) > > > > > > SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. > > > > On February 20, 2001 we reported the following problem (with > > specifics to IIS and SITESERVER) to the Microsoft Security > > Response Center. > > > > On March 22, 2001 we also reported a similar problem to > > Allaire (now Macromedia) for ColdFusion. > > > > Approximately 2-3 weeks after reporting to appropriate > > vendors, we also reported these vulnerabilities to CERT.ORG. > > > > PROBLEM DESCRIPTIONS: > > > > Microsoft Internet Information Server (IIS) and Site Server > > do not verify that session cookie values were actually issued > > by the server. An Internet user can generate their own > > session cookie, which will be accepted as valid by these > > servers. An attacker could use cross-site scripting > > vulnerabilities to generate a modified session cookie, with a > > predictable session value, then use the predetermined session > > value to later take over (impersonate) other users. > <snip> >
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 01:40:35 PDT