lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAH8yC8mUVYd_a353y68507Yp5JA+7iytgKaxOQptLWL6bn7-dQ@mail.gmail.com>
Date: Thu, 3 Oct 2013 17:46:37 -0400
From: Jeffrey Walton <noloader@...il.com>
To: "G. S. McNamara" <main@...cnamara.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Django] Cookie-based session storage session
 invalidation issue

> Again, the behavior is a surprise to most developers.

If it surprises developers, then what do you think it does to
unsuspecting users?

It's akin to a builder installing a lock on a house that does not
work, and the builder not telling the home owner.

Its already game over, whether its documented or not. Perhaps the
Django developers should take time to read Peter Gutmann's Engineering
Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross
Anderson's Security Engineering (www.cl.cam.ac.uk/~rja14/book.html‎).

Jeff

On Thu, Oct 3, 2013 at 10:39 AM, G. S. McNamara <main@...cnamara.com> wrote:
> Hi Paul,
>
> The documentation you linked to was updated yesterday to reflect the issue I
> brought up with cookie-stored sessions.
>
> Again, the behavior is a surprise to most developers.
>
>
> Thanks!
>
> G. S. McNamara
>
>
> On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul@...illan.ws> wrote:
>>
>> G. S. McNamara:
>>
>> Perhaps next you will disclose that if an attacker obtains a user's
>> password, they can log in as that user. Seriously, "full disclosure"
>> of well documented behavior is not particularly impressive.
>>
>>
>> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>>
>> Cheers,
>> -Paul
>>
>> > From: "G. S. McNamara" <main@...cnamara.com>
>> > To: <full-disclosure@...ts.grok.org.uk>
>> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
>> > invalidation issue
>> >
>> > FD,
>> >
>> > I’m back!
>> >
>> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
>> > (not the default > this time) that is afflicted by the same issue I posted
>> > about previously concerning Ruby > on Rails:
>> >
>> > If you obtain a user’s cookie, even if they log out, you can still log
>> > in as them.
>> >
>> > The short write-up is here, if needed:
>> > http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>> >
>> > Cheers,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ