Discovery Date: 03.27.2014
Release Date: 04.30.2014
Affected Applications: CGILua 5.0.x, CGILua 5.1.x., CGILua 5.2 alpha 1 & CGILua 5.2 alpha 2
Class: Predictable Session ID
Status: Unpatched/Vendor informed
Vendor: CGILua project
Vendor URL: https://github.com/keplerproject/cgilua
Advisory URL: http://www.syhunt.com/advisories/?id=cgilua-weaksessionid
The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVE to this vulnerability: CVE-2014-2875
Overview: CGILua is an open source tool for creating dynamic Web pages and manipulating input data from Web forms. It allows the separation of logic and data handling from the generation of pages, making it easy to develop web applications with the Lua programming language.
Over the years the tool has been adopted by several organizations worldwide, especially in Brazil where it has been adopted by some high profile organizations.
Description: A vulnerability in the session library that ships with CGILua since version 5.0 beta may allow remote attackers to easily and quickly guess valid session IDs generated by a Lua web application and perform session hijacking - for example, gain access to user sessions of various other logged-in users.
CGILua 5.2 alpha, released in 2013, generates weak/insufficiently random session IDs (usually 9-digit long, sometimes shorter), based on OS time. Since an attacker can view the source on GitHub, he knows the generation mechanism. In our attack simulations, we were able to guess valid session IDs extremely quickly through brute-force attacks.
CGILua 5.1.x (2007-2010) contains a bug and always generates the same ID. Since this bug is easily noticeable and makes the library unusable, we doubt that the version of the session library included with this release is in production anywhere.
CGILua 5.0.x, released in 2004, generates sequential (non-random) 8-digit long session IDs, making guessing even more easy.
The project maintainers were initially contacted at the end of March, 2014.
The maintainer Tomás Guisasola believes that the session IDs generated by CGILua 5.0 and 5.2 are not insecure in its current form and that enhancing the randomness of the SID would not make it more secure.
The maintainer confirmed that the session ID generation in CGILua 5.1 is buggy - always generates the same ID, thus is unusable.
Because there is no patch for this vulnerability (the author does not consider it a security risk and is unresponsive) we recommend that users simply do not use CGILua's session.lua library until hopefully there is a patch issued to remedy this.
According to the CGILua changelog, the session API was introduced in version 5.0 beta, therefore older versions, like 5.0 alpha, 4.x and before don't include the session.lua library and should not be marked as vulnerable to this particular issue.
In case you wish to manually patch the session library, consider using the luuid library, which generates 128-bit random IDs, as part of the fix, or any other Lua library that can generate unique IDs based on high-quality randomness. After patching (either with an official patch or your custom patch), it is necessary to remove/invalidate all sessions generated by the old, unpatched code.
- March 27, 2014 - Emailed the maintainers about the need of hardening CGILua.
- April 2, 2014 - No reply. Emailed the maintainer once again.
- April 2, 2014 - First maintainer reply (see Vulnerability Status above for details).
- April 4, 2014 - Syhunt sends information about recommended SID length and entropy https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Length
- April 13, 2014 - Syhunt sends details about its own demonstration tool that is able to guess CGILua session IDs, along with additional comments in a separate email.
- April 30, 2014 - No response received to emails sent on April 4 & 13.
- April 30, 2014 - Public disclosure.
Syhunt Security Research Team, www.syhunt.com
We thank James Mouat, which performed some additional tests, helping with the diagnosis of this issue.
Copyright © 2014 Syhunt Security
Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.
Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.