Vulnerability Development mailing list archives
RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Thu, 30 Aug 2001 11:23:39 -0400
I am not too familiar with Cold Fusion, however, if you run ASP (Active Server Page) Applications on your IIS Server, the server issues a Session ID to each new session. This is how ASP maintains state across web pages. I assume it's the same concept for ColdFusion. This is an Automatic process for ID generation that I rather random ... so theoretically (as MS always likes to put it) yes, they could steal a Session ID, but you would have to guess it first, and that would be akin to attempting to hijack a TCP/IP session using a guessed TCP/IP sequence number. John Hicks -----Original Message----- From: Lincoln Yeoh [mailto:lyeoh () pop jaring my] Sent: Thursday, August 30, 2001 1:35 AM To: Jeff Jancula; vuln-dev () securityfocus com Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote:
BACKGROUND: When a Internet browser user visits IIS or ColdFusion hosted web sites,
the web server issues browser commands similar to:
(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP (for CF) Set-Cookie: CFID=123 (for CF) Set-Cookie: CFTOKEN=4567890 The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values
with each subsequent request to the web server. IIS and ColdFusion use these values to identify and track each user.
What does CFID=123 mean to cold fusion? Is that the user/session ID? Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and Cold Fusion will think it's the same user/session? If it does then it's a very big problem. If it doesn't, then it may not be a problem unless your application assumes that just having a session means it's a valid user. Cheerio, Link.
Current thread:
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Keith.Morgan (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Ben Ford (Aug 30)
- <Possible follow-ups>
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Hicks, John (Aug 30)