[katello-devel] ActiveRecord SQL injection and secret_token.rb
Ohad Levy
ohadlevy at redhat.com
Tue Jan 8 15:38:23 UTC 2013
for the record, we solved it differently for foreman too :)
see https://github.com/theforeman/foreman/commit/adfcf8f0fa17dd352588fbd9eb24286502ccc90f
Ohad
----- Original Message -----
|
|
| ----- Original Message -----
| > Hi everybody,
| >
| > You probably noticed, that there was released new version of Ruby
| > on
| > Rails fixing CVE-2012-5664 vulnerability. The details how to
| > exploit
| > this vulnerability are very well described at Phusion's blog [1].
| >
| > However, what is more important is, that since your application
| > secret
| > token is not that secret, i.e. it is published on github [2],
| > cookies
| > of
| > Aeolus could be faked [3]. Katello seems to do better in this area
| > [4]
| > (although it was just quick look into code, not security audit :)).
| > Please consider narrowing this situation.
|
| Just FYI: secret_token in Katello is regenerated at rpm installation.
| Thanks for heads up!
|
| -- Ivan
|
| >
| > Thank you
| >
| >
| > Vít
| >
| >
| >
| > [1]
| > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
| > [2]
| > https://github.com/aeolusproject/conductor/blob/master/src/config/initializers/secret_token.rb#L23
| > [3]
| > http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason
| > [4]
| > https://github.com/Katello/katello/blob/master/src/config/initializers/secret_token.rb
| >
| > _______________________________________________
| > katello-devel mailing list
| > katello-devel at redhat.com
| > https://www.redhat.com/mailman/listinfo/katello-devel
| >
|
| _______________________________________________
| katello-devel mailing list
| katello-devel at redhat.com
| https://www.redhat.com/mailman/listinfo/katello-devel
More information about the katello-devel
mailing list