CVE-2014-2875

Vulnerability

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 generates weak session IDs that are based on OS time, resulting in insufficiently random, typically 9-digit IDs. Affected versions include CGILua 5.0.x (sequential 8-digit IDs), 5.1.x (always the same ID due to a bug), and 5.2 alpha releases [1]. The vulnerability resides in the session ID generation mechanism within the session.lua module.

Exploitation

An attacker can remotely guess valid session IDs via brute-force attacks without requiring authentication or user interaction. Since the generation mechanism is published in the source code, the attacker can predict possible IDs based on OS time; in simulations, valid IDs were guessed extremely quickly [1]. For 5.1.x, the bug produces the same ID every time, making exploitation trivial once a single ID is obtained.

Impact

Successful exploitation allows the attacker to perform session hijacking, gaining access to other users' authenticated sessions. This can lead to unauthorized access to user accounts and associated data, depending on the web application's functionality [1].

Mitigation

CGILua 5.0.x (2004) and 5.1.x (2007–2010) are end-of-life, and 5.2 alpha 1/2 (2013) remain unpatched as of the advisory release (April 2014). No fixed version has been published; the vendor was informed but no official patch was released [1]. Workarounds include replacing the session ID generation with a cryptographically secure random function (e.g., /dev/urandom) or using a different session management library. This vulnerability is not known to be listed in CISA's KEV as of February 2020.