| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130925095037.GA1277@localhost.Speedport_W_722V_Typ_B> Date: Wed, 25 Sep 2013 11:50:37 +0200 From: joernchen <joernchen@...noelit.de> To: "G. S. McNamara" <main@...cnamara.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why. Hi, On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote: > Ruby on Rails Web applications versions 2.0 through 4.0 are by default > vulnerable to an oft-overlooked Web application security issue: Session > cookies are valid for life.* A malicious user could use the stolen cookie > from any authenticated request by the user to log in as them at any point > in the future. > There are other fun things which might happen, imagine App_A and App_B which share the same codebase (let's just imagine two instances of a some kind of appliance with a RoR Web frontend). If the vendor has not taken care to generate a unique cookie-signing secret for each appliance you could just log into your appliance (App_A) and reuse the token on App_B yielding a session with the same userId on App_B. This however relies on a mechanism like "authenticated_system" which just puts your userId in the session cookie. cheers, joernchen -- joernchen ~ Phenoelit <joernchen@...noelit.de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists