what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CGILua 5.x Predictable Session Identifier

CGILua 5.x Predictable Session Identifier
Posted May 1, 2014
Authored by Felipe Daragon | Site syhunt.com

A vulnerability in the session library that ships with CGILua since version 5.0 beta may allow remote attackers to easily and quickly guess valid session IDs generated by a Lua web application and perform session hijacking.

tags | advisory, remote, web
advisories | CVE-2014-2875
SHA-256 | d47d6ee8b23d4dfc00517ad05df39563c3ec959859f6a90ece46d4098f19ee5c

CGILua 5.x Predictable Session Identifier

Change Mirror Download
Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability

Advisory-ID: 201404301
Discovery Date: 03.27.2014
Release Date: 04.30.2014
Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 &
CGILua 5.2 alpha 2
Class: Predictable Session ID
Status: Unpatched/Vendor informed
Vendor: CGILua project
Vendor URL: https://github.com/keplerproject/cgilua
Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVE to this vulnerability: CVE-2014-2875

----------------------------------------------------------------

Overview:
CGILua is an open source tool for creating dynamic Web pages and
manipulating input data from Web forms. It allows the separation
of logic and data handling from the generation of pages, making
it easy to develop web applications with the Lua programming
language.

Over the years the tool has been adopted by several
organizations worldwide, especially in Brazil where it has been
adopted by some high profile organizations.

Description:
A vulnerability in the session library that ships with CGILua
since version 5.0 beta may allow remote attackers to easily and
quickly guess valid session IDs generated by a Lua web
application and perform session hijacking - for example, gain
access to user sessions of various other logged-in users.

----------------------------------------------------------------

Details:

CGILua 5.2 alpha, released in 2013, generates weak/insufficiently
random session IDs (usually 9-digit long, sometimes shorter),
based on OS time.
Since an attacker can view the source on GitHub, he knows the
generation mechanism. In our attack simulations, we were able to
guess valid session IDs extremely quickly through brute-force
attacks.

CGILua 5.1.x (2007-2010) contains a bug and always generates the
same ID. Since this bug is easily noticeable and makes the
library unusable, we doubt that the version of the session
library included with this release is in production anywhere.

CGILua 5.0.x, released in 2004, generates sequential (non-random)
8-digit long session IDs, making guessing even more easy.

----------------------------------------------------------------

Vulnerability Status:

The project maintainers were initially contacted at the end of
March, 2014.

The maintainer Tomás Guisasola believes that the session IDs
generated by CGILua 5.0 and 5.2 are not insecure in its current
form and that enhancing the randomness of the SID would
not make it more secure.

The maintainer confirmed that the session ID generation in
CGILua 5.1 is buggy - always generates the same ID, thus is
unusable.

Because there is no patch for this vulnerability (the author
does not consider it a security risk and is unresponsive) we
recommend that users simply do not use CGILua's session.lua
library until hopefully there is a patch issued to remedy this.

According to the CGILua changelog, the session API was
introduced in version 5.0 beta, therefore older versions, like
5.0 alpha, 4.x and before don't include the session.lua
library and should not be marked as vulnerable to this
particular issue.

In case you wish to manually patch the session library, consider
using the luuid library, which generates 128-bit random IDs, as
part of the fix, or any other Lua library that can generate
unique IDs based on high-quality randomness. After patching
(either with an official patch or your own patch), it is
necessary to remove/invalidate all sessions generated by the
old, unpatched code.

----------------------------------------------------------------

Disclosure Timeline:

* March 27, 2014 - Emailed the maintainers about the need of
hardening CGILua.
* April 2, 2014 - No reply. Emailed the maintainer once again.
* April 2, 2014 - First maintainer reply (see Vulnerability Status
above for details).
* April 4, 2014 - Syhunt sends information about recommended
SID length and entropy
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Length
* April 13, 2014 - Syhunt sends details about its own
demonstration tool that is able to guess CGILua session IDs, along
with additional comments in a separate email.
* April 30, 2014 - No response received to emails sent on April 4 & 13.
* April 30, 2014 - Public disclosure.

----------------------------------------------------------------

Credit:
Felipe Daragon
Syhunt Security Research Team, www.syhunt.com

We thank James Mouat, which performed some additional tests,
helping with the diagnosis of this issue.

----

Copyright © 2014 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close