Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Weak session IDs generated CVE-2014-2875 #17

Open
brianmay opened this issue Mar 15, 2020 · 1 comment
Open

Weak session IDs generated CVE-2014-2875 #17

brianmay opened this issue Mar 15, 2020 · 1 comment

Comments

@brianmay
Copy link

I don't actually see any bug reports open on this CVE, so I am creating a bug report here.

https://security-tracker.debian.org/tracker/CVE-2014-2875

As far as I can tell, the issue is still present in the latest git source.

I believe the vulnerable code itself is in
https://github.com/keplerproject/cgilua/blob/master/src/cgilua/session.lua
and is these bits:

 local RANGE = 999999999
 [...]
 randseed (mod (time(), RANGE))

 [...]

 local function new_id ()
   return rand (RANGE)
 end

I think it it probably safe to assume rand() doesn't meet the requirements for a session id. As in it generates numbers that are predictable.

I am not really familiar with how to generate an appropriate id, but I do notice there are some crypto libraries for LUA, e.g. https://github.com/philanc/plc

On the Debian mailing list, it was suggested "a more secure function is to simply read the value from /dev/urandom".

@brianmay
Copy link
Author

I believe the following code on something similar - would fix this issue:

   local function new_id()
       local path = "/dev/urandom"
       local file = io.open(path, "rb")
       if not file then return nil end
       local content = file:read(16)
       content = basexx.to_hex(content)
       file:close()
       return content
   end

Note this requires basexx. It also might breaks the check_id() function which expects the session id be an integer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant