Sylvain Gibier wrote: > Contact me at my email address cptflam [at] gmail.com - > > I found the security hole.
Sylvian did indeed find a security hole in the radiantcms.org configuration. It wasn't a security problem in Radiant per se, but it was a problem with the way Radiant was configured on my host. However the hole it uncovered is something that may affect ANY Radiant application running on a shared host. To gain access to the admin pages of radiantcms.org Sylvian used Firefox 2.0 with the Web Developer extension which allows you to see the current cookies for a page. Here is how he got access to the Radiant admin: 1) He first logged on to the admin part of the demo site: http://demo.radiantcms.org/admin/pages 2) Then he opened up another tab an initialized a new session hitting this URL: http://radiantcms.org/admin/login 3) He then changed the _session_id cookie to the value used by the demo site using the Web Developer extension in Fox. 4) With the correct cookie set he could now bypass the login screen and hit the following URL: http://www.radiantcms.org/admin/pages The reason this worked is that the CGI session stuff is configured by default to place sessions in /tmp for all Ruby applications. Both the demo application and the version of Radiant powering the Radiant Web site were configured to use this default. This effectively meant that they could share the same sessions the _session_id cookie was set up correctly. I fixed the problem by following the advice of this article: http://weblog.textdrive.com/article/196/on-rails-sessions Which recommended that you place the following line in config/environment.rb: ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:tmpdir => File.join(RAILS_ROOT, '/tmp')) We will probably be switching to ActiveRecord based sessions to avoid this in the future. In the mean time, people running Radiant sites should take note of the above ESPECIALLY THOSE USING A SHARED HOST!!! -- John Long http://wiseheartdesign.com _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
