Hi there, beaker.session is (like most session frameworks) vulnerable to a "malicious pickle" attack (if the attacker knows the secret key) when cookies are used (which can lead to remote code execution). Now, of course, the secret key is - as its name says - meant to be kept secret and to be changed for every deployment, and the vulnerabilities in the pickle protocol are also mentioned in the Python docs. So, "normal" applications should be safe - as long as there is no possibility for arbitrary file access. Though, brute-force decrypting the cookie, looking for something that looks like pickle'd data could be possible.
But, as an easy solution is to just use beaker.session.type = file instead of cookie, I think it could be worth either discussing changing the default or at least mentioning this explicitly in a red box in the documentation. ;) - Especially since it also applies to apps that do not actively use tg.session - since the session gets depickled anyways (and it such cases, a developer might think that he doesn't need to care about the secret key at all!). The vulnerabilities are described here: http://vudang.com/2013/01/python-web-framework-from-lfr-to-rce/ and a PoC for an exploit, that can be used is available here: https://github.com/danghvu/pwp Regards, Moritz -- Moritz Schlarb -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/turbogears?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
