Thanks for the update and details John.
On Jul 26, 2007, at 5:47 PM, John W. Long wrote: > Sylvain Gibier wrote: >> Contact me at my email address cptflam [at] gmail.com - >> >> I found the security hole. > > Sylvian did indeed find a security hole in the radiantcms.org > configuration. It wasn't a security problem in Radiant per se, but it > was a problem with the way Radiant was configured on my host. However > the hole it uncovered is something that may affect ANY Radiant > application running on a shared host. > > To gain access to the admin pages of radiantcms.org Sylvian used > Firefox > 2.0 with the Web Developer extension which allows you to see the > current > cookies for a page. Here is how he got access to the Radiant admin: > > 1) He first logged on to the admin part of the demo site: > > http://demo.radiantcms.org/admin/pages > > 2) Then he opened up another tab an initialized a new session hitting > this URL: > > http://radiantcms.org/admin/login > > 3) He then changed the _session_id cookie to the value used by the > demo > site using the Web Developer extension in Fox. > > 4) With the correct cookie set he could now bypass the login screen > and > hit the following URL: > > http://www.radiantcms.org/admin/pages > > The reason this worked is that the CGI session stuff is configured by > default to place sessions in /tmp for all Ruby applications. Both the > demo application and the version of Radiant powering the Radiant Web > site were configured to use this default. This effectively meant that > they could share the same sessions the _session_id cookie was set up > correctly. > > I fixed the problem by following the advice of this article: > > http://weblog.textdrive.com/article/196/on-rails-sessions > > Which recommended that you place the following line in > config/environment.rb: > > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update > (:tmpdir > => File.join(RAILS_ROOT, '/tmp')) > > We will probably be switching to ActiveRecord based sessions to avoid > this in the future. In the mean time, people running Radiant sites > should take note of the above ESPECIALLY THOSE USING A SHARED HOST!!! > > -- > John Long > http://wiseheartdesign.com > _______________________________________________ > Radiant mailing list > Post: [email protected] > Search: http://radiantcms.org/mailing-list/search/ > Site: http://lists.radiantcms.org/mailman/listinfo/radiant _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
