Juvia secret token handling

2013.12.19
Credit: Stefan
Risk: High
Local: Yes
Remote: No
CWE: CWE-255


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi! Juvia is a Ruby on Rails application to host "comments": A commenting server similar to Disqus and IntenseDebate It includes a "default" secret to validate cookies in `app/config/initializers/secret_token.rb', and the install instructions do not include generating a new secret. Also the file in question is maintained in git, and configuration should not touch these files. This means an attacker could modify session state, which is somehow trusted by the Rails application. A workaround for Juvia is to generate a new secret (`rake secret') and replace the one in `app/config/initializers/secret_token.rb' (invalidating all cookies, don't forget to restart Juvia). You have to be careful when switching between git branches and so on to not loose the change. The core problem is that rails generated the file that way; other gems have similar issues. The rails security team has been informed about this. Kind regards, Stefan References: * Juvia "public" secret: https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb * Juvia issue for this: https://github.com/phusion/juvia/issues/55

References:

https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb
https://github.com/phusion/juvia/issues/55
http://seclists.org/oss-sec/2013/q4/510


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top