WebApp Sec: Re: ColdFusion - CFID & CFTOKEN

[leighm () linuxbandwagon com]

Ive found that if a site is running coldfusion, chances are that the sysadmins
technical skills arent very good (or theyde write it in php or python or
something)

which usually means if you look around the system somewhere youll find 
something
that the sysadmin has implemented incorrectly

you may disagree, but thats my theory, and seems to work for more sites 
than you
think ;)

Quoting ron thigpen <ron () fuzzsonic com>:

> Jason binger wrote:
> > I am currently doing some work with CF MX 6.1 and was
> > wondering if anyone had some information on the
> > strength of the CF cookie implementation.
> More information here:
> <http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18133>
>
> Article describes a method for generating UUIDs for use as CFTOKEN 
> values.  It is also intimated that the code for generating standard 
> (non-UUID) CFTOKEN values has changed in the MX release.
> Seems it would be worth taking a new look at these standard CFTOKEN 
> values from an MX install to see if they still follow the pattern 
> indicated in Amit's paper.
> --rt


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Attachment: _bin
Description: PGP Public Key