WebApp Sec mailing list archives

Re: ColdFusion - CFID & CFTOKEN

From: leighm () linuxbandwagon com
Date: Thu, 12 May 2005 21:10:49 +1000

Ive found that if a site is running coldfusion, chances are that the sysadmins
technical skills arent very good (or theyde write it in php or python or
something)

which usually means if you look around the system somewhere youll findsomething

that the sysadmin has implemented incorrectly

you may disagree, but thats my theory, and seems to work for more sitesthan you

think ;)

Quoting ron thigpen <ron () fuzzsonic com>:

Jason binger wrote:
I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.
More information here:
<http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18133>
Article describes a method for generating UUIDs for use as CFTOKENvalues. It is also intimated that the code for generating standard(non-UUID) CFTOKEN values has changed in the MX release.
Seems it would be worth taking a new look at these standard CFTOKENvalues from an MX install to see if they still follow the patternindicated in Amit's paper.
--rt




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Attachment: _bin
Description: PGP Public Key

Current thread:

ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
  - Re: ColdFusion - CFID & CFTOKEN leighm (May 15)