Affects Version/s: None
Fix Version/s: 18.104.22.168
It is possible to control what CFML session tokens a user will have by sending them to a link that contains a CFID of your choosing, so long as it fits the UUID pattern.
This means I can send a user to a URL, wait for them to login and then visit that URL myself in order to be logged in as that user (better description here: https://www.petefreitag.com/item/815.cfm)
What I believe to be happening is:
1. Original request comes in with CFID=myhackedvalue
2. no session exists with that CFID
3. Lucee creates a new session using the passed CFID
Instead of 3. I believe that Lucee should be generating a new CFID so that attackers cannot simply define a session with a CFID of their choosing.
Using j2ee sessions does not suffer from this problem.