On 26/05/2008, at 10:18 AM, Aníbal Rojas wrote:
Agreed all the previous stuff...
The reason nobody can ever spoof a session is that they can never
generate
the needed hash because they don't have the @@state_secret piece of
text
needed to do so, hopefully! This presents a challenge for open
source. We
really need to raise an error if anyone tries to use CookieSessions
without
setting the @state_secret to something other than nil or "". Maybe
one good
I don't think raising a error is _required_, filling the log with a
meaningful message / advice should be enough.
solution is to add logic to CookieSessions so that if it is run
without a
@@state_secret supplied, it creates a file containing the
state_secret,
filling it with totally random characters. This too is a terrible
security
risk though, as the camping app may be being run in a webserver
like apache
or lighttpd, and that state_secret file generated may be readable
by the web
server. If an attacker can simply download a file telling them the
state
secret, it's game over. The only sensible default I could think of
was the
source code to the application itself, still problematic for open
source,
but would allow people to build apps without specifying an
@state_secret and
Interesting idea.
have a unique value used anyway. As they change the source code
during
development, they would be repeatedly signed out. I couldn't figure
out a
I think it would be more a annoyance than a real trouble for the
users.
The Web in intrinsecally broken.
way to do this well with the current release of camping.
For you idea of using the source cod (I think it could be more than
enough) I think anotehr variations could be:
- Using a directory listing of the app.
- The value of a environment variable (
- The timestamp (or something derived) of the folder containing the
app.
- The path where the app is intalled
- etc
I don't like any of these, it has to be something a remote attacker
cannot find out the value to. Remote attacker could potentially get a
directory listing, guess the value of an environment variable, find
out the timestamp from a webserver's directory listing, and guess the
path the app is installed to. The secret HAS to be a secret, it can't
be something anyone else has any chance of guessing or finding out
remotely.
--
Aníbal
—
Jenna
On 26/05/2008, at 7:45 AM, Aria Stewart wrote:
On Sat, 2008-05-24 at 22:43 -0500, _why wrote:
On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
* The cookie session is named Camping::Session and is placed in
camping/session.rb. Maybe this should be called
Camping::CookieSession
or???
You know, these cookie sessions seem like they could be a problem.
A lot of sessions would contain just the hash and the user name.
So, spoof the user name and you're in, you know?
Agreed, without an HMAC signature.
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
_______________________________________________
Camping-list mailing list
Camping-list@rubyforge.org
http://rubyforge.org/mailman/listinfo/camping-list
