WebApp Sec: Re: ColdFusion

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: ColdFusion - CFID & CFTOKEN

From: ron thigpen <ron () fuzzsonic com>
Date: Wed, 11 May 2005 12:15:44 -0400

Jason binger wrote:

I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.


More information here:
<http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18133>

Article describes a method for generating UUIDs for use as CFTOKENvalues. It is also intimated that the code for generating standard(non-UUID) CFTOKEN values has changed in the MX release.

Seems it would be worth taking a new look at these standard CFTOKENvalues from an MX install to see if they still follow the patternindicated in Amit's paper.


--rt

By Date By Thread

Current thread:

ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
  - Re: ColdFusion - CFID & CFTOKEN leighm (May 15)