exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CGILua 5.x Predictable Session Identifier

CGILua 5.x Predictable Session Identifier
Posted May 1, 2014
Authored by Felipe Daragon | Site syhunt.com

A vulnerability in the session library that ships with CGILua since version 5.0 beta may allow remote attackers to easily and quickly guess valid session IDs generated by a Lua web application and perform session hijacking.

tags | advisory, remote, web
advisories | CVE-2014-2875
SHA-256 | d47d6ee8b23d4dfc00517ad05df39563c3ec959859f6a90ece46d4098f19ee5c

CGILua 5.x Predictable Session Identifier

Change Mirror Download
Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability

Advisory-ID: 201404301
Discovery Date: 03.27.2014
Release Date: 04.30.2014
Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 &
CGILua 5.2 alpha 2
Class: Predictable Session ID
Status: Unpatched/Vendor informed
Vendor: CGILua project
Vendor URL: https://github.com/keplerproject/cgilua
Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVE to this vulnerability: CVE-2014-2875


CGILua is an open source tool for creating dynamic Web pages and
manipulating input data from Web forms. It allows the separation
of logic and data handling from the generation of pages, making
it easy to develop web applications with the Lua programming

Over the years the tool has been adopted by several
organizations worldwide, especially in Brazil where it has been
adopted by some high profile organizations.

A vulnerability in the session library that ships with CGILua
since version 5.0 beta may allow remote attackers to easily and
quickly guess valid session IDs generated by a Lua web
application and perform session hijacking - for example, gain
access to user sessions of various other logged-in users.



CGILua 5.2 alpha, released in 2013, generates weak/insufficiently
random session IDs (usually 9-digit long, sometimes shorter),
based on OS time.
Since an attacker can view the source on GitHub, he knows the
generation mechanism. In our attack simulations, we were able to
guess valid session IDs extremely quickly through brute-force

CGILua 5.1.x (2007-2010) contains a bug and always generates the
same ID. Since this bug is easily noticeable and makes the
library unusable, we doubt that the version of the session
library included with this release is in production anywhere.

CGILua 5.0.x, released in 2004, generates sequential (non-random)
8-digit long session IDs, making guessing even more easy.


Vulnerability Status:

The project maintainers were initially contacted at the end of
March, 2014.

The maintainer Tomás Guisasola believes that the session IDs
generated by CGILua 5.0 and 5.2 are not insecure in its current
form and that enhancing the randomness of the SID would
not make it more secure.

The maintainer confirmed that the session ID generation in
CGILua 5.1 is buggy - always generates the same ID, thus is

Because there is no patch for this vulnerability (the author
does not consider it a security risk and is unresponsive) we
recommend that users simply do not use CGILua's session.lua
library until hopefully there is a patch issued to remedy this.

According to the CGILua changelog, the session API was
introduced in version 5.0 beta, therefore older versions, like
5.0 alpha, 4.x and before don't include the session.lua
library and should not be marked as vulnerable to this
particular issue.

In case you wish to manually patch the session library, consider
using the luuid library, which generates 128-bit random IDs, as
part of the fix, or any other Lua library that can generate
unique IDs based on high-quality randomness. After patching
(either with an official patch or your own patch), it is
necessary to remove/invalidate all sessions generated by the
old, unpatched code.


Disclosure Timeline:

* March 27, 2014 - Emailed the maintainers about the need of
hardening CGILua.
* April 2, 2014 - No reply. Emailed the maintainer once again.
* April 2, 2014 - First maintainer reply (see Vulnerability Status
above for details).
* April 4, 2014 - Syhunt sends information about recommended
SID length and entropy
* April 13, 2014 - Syhunt sends details about its own
demonstration tool that is able to guess CGILua session IDs, along
with additional comments in a separate email.
* April 30, 2014 - No response received to emails sent on April 4 & 13.
* April 30, 2014 - Public disclosure.


Felipe Daragon
Syhunt Security Research Team, www.syhunt.com

We thank James Mouat, which performed some additional tests,
helping with the diagnosis of this issue.


Copyright © 2014 Syhunt Security

The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By