John, I think you miss the point... IIS does issue a session ID, however you do not have to use it! You can make your own ID up! So, forget about "guessing" someone's session ID, just feed a victim with malicious cross-site scripting or a more permanent cookie (ASPSESSION), and you will KNOW the session ID you gave them. Hijacking becomes easy then. Jeff ----- Original Message ----- From: "Hicks, John" <JHicksat_private> To: <vuln-devat_private> Sent: Thursday, August 30, 2001 11:23 AM Subject: RE: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) > I am not too familiar with Cold Fusion, however, if you run ASP (Active > Server Page) Applications on your IIS Server, the server issues a Session ID > to each new session. This is how ASP maintains state across web pages. I > assume it's the same concept for ColdFusion. > > This is an Automatic process for ID generation that I rather random ... so > theoretically (as MS always likes to put it) yes, they could steal a Session > ID, but you would have to guess it first, and that would be akin to > attempting to hijack a TCP/IP session using a guessed TCP/IP sequence > number. > > John Hicks > > -----Original Message----- > From: Lincoln Yeoh [mailto:lyeohat_private] > Sent: Thursday, August 30, 2001 1:35 AM > To: Jeff Jancula; vuln-devat_private > Subject: Re: Web session tracking security prob. Vulnerable: IIS and > ColdFusion (maybe others) > > > At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote: > >BACKGROUND: > > > >When a Internet browser user visits IIS or ColdFusion hosted web sites, > the web server issues browser commands similar to: > > > >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP > >(for CF) Set-Cookie: CFID=123 > >(for CF) Set-Cookie: CFTOKEN=4567890 > > > >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values > with each subsequent request to the web server. IIS and ColdFusion use > these values to identify and track each user. > > > > What does CFID=123 mean to cold fusion? Is that the user/session ID? > > Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and > Cold Fusion will think it's the same user/session? > > If it does then it's a very big problem. If it doesn't, then it may not be > a problem unless your application assumes that just having a session means > it's a valid user. > > Cheerio, > Link.
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 01:42:36 PDT