id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 296 HttpUseridModule lacks uniqueness in uid generation Patrick Ellul "Looking at the C code of this module, it seems that the UID generation is based on 4 things in order: 1) local_sockaddr 2) ngx_time 3) start time of nginx 4) sequence However, these values are converted to uint32 before being htonl'ed. Then they are sprintf'ed using %08XD Also the resultant cookie is trimmed to 22 characters. This means that the assigned uid is not very unique, not to mention quite predictable. When using this uid for session management, it makes it possible for users to intrude on other users sessions, perhaps even steal another user's session on purpose. We discovered this from our production systems, when we noticed that the same uid was being given to hundreds of different clients. The nature of our system is such that we receive massive bursts of requests in a small amount of time and hence the chance of this happening increases quite a lot. A simple fix could be to use a long random string instead, possibly of configurable length." defect closed minor nginx-module 1.3.x invalid userid, security Linux XXXXXX 3.2.34-55.46.amzn1.x86_64 #1 SMP Tue Nov 20 10:06:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux nginx_1.2.5