CVE-2014-10400

Vulnerability

The session.lua library in CGILua versions 5.0.x, 5.1.x, and 5.2 alpha releases generates weak session identifiers that are predictable or insufficiently random [1]. In CGILua 5.0.x, session IDs are sequential 8-digit numbers [1]. In CGILua 5.1.x, a bug causes all sessions to receive the same ID [1]. In CGILua 5.2 alpha, session IDs are generated based on OS time, typically 9 digits long [1]. Generating predictable session IDs violates secure session management best practices [1]. The affected versions include CGILua 5.0.x, 5.1.x, and 5.2 alpha 1 and alpha 2 [1].

Exploitation

An attacker needs only network access to the target web application that uses the vulnerable CGILua session library [1]. The generation mechanism is publicly known, as the source code is available on GitHub [1]. For 5.0.x, the attacker can enumerate sequential IDs in ascending order to find an active session [1]. For 5.1.x, all users get the same ID, so the attacker may already know a valid ID [1]. For 5.2 alpha, the attacker can brute-force IDs by guessing values based on OS timestamps [1]. No authentication or user interaction is required [1].

Impact

A successful attacker can hijack active user sessions, obtaining the same privileges and access rights as the legitimate user [1]. This includes potentially accessing sensitive data or performing actions on behalf of the victim [1]. The vulnerability compromises session integrity and confidentiality [1].

Mitigation

No official patch or fixed version has been released by the project maintainers [1]. The vendor was informed but the vulnerability was unpatched as of the advisory date [1]. Mitigation requires developers to replace the session.lua library with a custom implementation that generates cryptographically random session IDs [1]. As of 2020, the project status is unclear; users should consider migrating to alternative session management libraries or frameworks [1].