Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aef19c3ba928f5246be41adcb2bebb3ad209f511.camel@gathman.org>
Date: Wed, 18 Dec 2019 23:09:40 -0500
From: "Stuart D. Gathman" <stuart@...hman.org>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE-2019-16782] Possible Information Leak /
 Session Hijack Vulnerability in Rack

On Thu, 2019-12-19 at 00:33 +0500, Alexander E. Patrakov wrote:
> 
> > The session id itself may be generated randomly, but the way the
> > session is indexed by the backing store does not use a secure
> > comparison.
> 
> I don't understand why this is reported as something Rack-specific.
> 
> On the other hand, I don't see how a timing attack would be possible
> on the most common data structures (B-Tree and Hash) used for
> database indexes.

My B-tree uses minimum unique key with leading duplicates not stored
for all but the leaf nodes - so it would also (eventually - there is so
much noise in the timing measurement) give away the key via timing
attacks.  

I had not thought of that angle, and I hope I remember this the next
time I am reinventing session ids.  Now I'm also wondering about other
libraries that manage session ids.  Java servlets in  Apache Tomcat?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.