lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Sep 2013 11:50:37 +0200
From: joernchen <joernchen@...noelit.de>
To: "G. S. McNamara" <main@...cnamara.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Ruby on Rails] Move away from CookieStore if
 you care about your users and their security. Here is a technical
 explanation why.

Hi,

On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote:
> Ruby on Rails Web applications versions 2.0 through 4.0 are by default
> vulnerable to an oft-overlooked Web application security issue: Session
> cookies are valid for life.* A malicious user could use the stolen cookie
> from any authenticated request by the user to log in as them at any point
> in the future.
> 

There are other fun things which might happen, imagine App_A and App_B
which share the same codebase (let's just imagine two instances of a
some kind of appliance with a RoR Web frontend). If the vendor has not
taken care to generate a unique cookie-signing secret for each appliance 
you could just log into your appliance (App_A) and reuse the token on 
App_B yielding a session with the same userId on App_B. 

This however relies on a mechanism like "authenticated_system" which
just puts your userId in the session cookie.


cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@...noelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists