Hi, On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote: > Ruby on Rails Web applications versions 2.0 through 4.0 are by default > vulnerable to an oft-overlooked Web application security issue: Session > cookies are valid for life.* A malicious user could use the stolen cookie > from any authenticated request by the user to log in as them at any point > in the future. >
There are other fun things which might happen, imagine App_A and App_B which share the same codebase (let's just imagine two instances of a some kind of appliance with a RoR Web frontend). If the vendor has not taken care to generate a unique cookie-signing secret for each appliance you could just log into your appliance (App_A) and reuse the token on App_B yielding a session with the same userId on App_B. This however relies on a mechanism like "authenticated_system" which just puts your userId in the session cookie. cheers, joernchen -- joernchen ~ Phenoelit <[email protected]> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
