Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20131216203537.32d1f7e4@chromobil.localdomain>
Date: Mon, 16 Dec 2013 20:35:37 +0100
From: Stefan Bühler <stbuehler@...httpd.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Juvia secret token handling

Hi!

Juvia is a Ruby on Rails application to host "comments":
> A commenting server similar to Disqus and IntenseDebate

It includes a "default" secret to validate cookies in 
`app/config/initializers/secret_token.rb', and the install instructions
do not include generating a new secret.
Also the file in question is maintained in git, and configuration
should not touch these files.

This means an attacker could modify session state, which is somehow
trusted by the Rails application.

A workaround for Juvia is to generate a new secret (`rake secret') and
replace the one in
`app/config/initializers/secret_token.rb' (invalidating all cookies,
don't forget to restart Juvia).
You have to be careful when switching between git branches and so on to
not loose the change.


The core problem is that rails generated the file that way; other gems
have similar issues.
The rails security team has been informed about this.

Kind regards,
Stefan

References:
* Juvia "public" secret:
  https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb
* Juvia issue for this: https://github.com/phusion/juvia/issues/55

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.