Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30555
HistoryMay 04, 2014 - 12:00 a.m.

Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability

2014-05-0400:00:00
vulners.com
33
JSON

Syhunt Advisory: CGILua session.lua Predictable Session ID Vulnerability

Advisory-ID: 201404301
Discovery Date: 03.27.2014
Release Date: 04.30.2014
Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 &
CGILua 5.2 alpha 2
Class: Predictable Session ID
Status: Unpatched/Vendor informed
Vendor: CGILua project
Vendor URL: https://github.com/keplerproject/cgilua
Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVE to this vulnerability: CVE-2014-2875

Overview:
CGILua is an open source tool for creating dynamic Web pages and
manipulating input data from Web forms. It allows the separation
of logic and data handling from the generation of pages, making
it easy to develop web applications with the Lua programming
language.

Over the years the tool has been adopted by several
organizations worldwide, especially in Brazil where it has been
adopted by some high profile organizations.

Description:
A vulnerability in the session library that ships with CGILua
since version 5.0 beta may allow remote attackers to easily and
quickly guess valid session IDs generated by a Lua web
application and perform session hijacking - for example, gain
access to user sessions of various other logged-in users.

Details:

CGILua 5.2 alpha, released in 2013, generates weak/insufficiently
random session IDs (usually 9-digit long, sometimes shorter),
based on OS time.
Since an attacker can view the source on GitHub, he knows the
generation mechanism. In our attack simulations, we were able to
guess valid session IDs extremely quickly through brute-force
attacks.

CGILua 5.1.x (2007-2010) contains a bug and always generates the
same ID. Since this bug is easily noticeable and makes the
library unusable, we doubt that the version of the session
library included with this release is in production anywhere.

CGILua 5.0.x, released in 2004, generates sequential (non-random)
8-digit long session IDs, making guessing even more easy.

Vulnerability Status:

The project maintainers were initially contacted at the end of
March, 2014.

The maintainer Tomas Guisasola believes that the session IDs
generated by CGILua 5.0 and 5.2 are not insecure in its current
form and that enhancing the randomness of the SID would
not make it more secure.

The maintainer confirmed that the session ID generation in
CGILua 5.1 is buggy - always generates the same ID, thus is
unusable.

Because there is no patch for this vulnerability (the author
does not consider it a security risk and is unresponsive) we
recommend that users simply do not use CGILua's session.lua
library until hopefully there is a patch issued to remedy this.

According to the CGILua changelog, the session API was
introduced in version 5.0 beta, therefore older versions, like
5.0 alpha, 4.x and before don't include the session.lua
library and should not be marked as vulnerable to this
particular issue.

In case you wish to manually patch the session library, consider
using the luuid library, which generates 128-bit random IDs, as
part of the fix, or any other Lua library that can generate
unique IDs based on high-quality randomness. After patching
(either with an official patch or your own patch), it is
necessary to remove/invalidate all sessions generated by the
old, unpatched code.

Disclosure Timeline:

  • March 27, 2014 - Emailed the maintainers about the need of
    hardening CGILua.
  • April 2, 2014 - No reply. Emailed the maintainer once again.
  • April 2, 2014 - First maintainer reply (see Vulnerability Status
    above for details).
  • April 4, 2014 - Syhunt sends information about recommended
    SID length and entropy
    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Length
  • April 13, 2014 - Syhunt sends details about its own
    demonstration tool that is able to guess CGILua session IDs, along
    with additional comments in a separate email.
  • April 30, 2014 - No response received to emails sent on April 4 & 13.
  • April 30, 2014 - Public disclosure.

Credit:
Felipe Daragon
Syhunt Security Research Team, www.syhunt.com

We thank James Mouat, which performed some additional tests,
helping with the diagnosis of this issue.

Copyright © 2014 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

Related

prion 3
debiancve 3
cve 3
securityvulns 1
prion
prion
Code injection
2020-02-06 16:15:00
Code injection
2020-02-06 16:15:00
Design/Logic Flaw
2020-02-06 16:15:00
debiancve
debiancve
CVE-2014-10399
2020-02-06 16:15:00
CVE-2014-10400
2020-02-06 16:15:00
CVE-2014-2875
2020-02-06 16:15:00
cve
cve
CVE-2014-10399
2020-02-06 16:15:00
CVE-2014-10400
2020-02-06 16:15:00
CVE-2014-2875
2020-02-06 16:15:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2014-05-04 00:00:00
JSON
Related for SECURITYVULNS:DOC:30555
prion3debiancve3cve3securityvulns1