Date: Tue, 17 Dec 2013 19:56:18 -0500 (EST) From: cve-assign@...re.org To: stbuehler@...httpd.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Juvia secret token handling -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Juvia is a Ruby on Rails application to host "comments": > > A commenting server similar to Disqus and IntenseDebate > > It includes a "default" secret to validate cookies in > `app/config/initializers/secret_token.rb', and the install instructions > do not include generating a new secret. > Also the file in question is maintained in git, and configuration > should not touch these files. > > This means an attacker could modify session state, which is somehow > trusted by the Rails application. > > A workaround for Juvia is to generate a new secret (`rake secret') and > replace the one in > `app/config/initializers/secret_token.rb' (invalidating all cookies, > don't forget to restart Juvia). > You have to be careful when switching between git branches and so on to > not loose the change. > > The core problem is that rails generated the file that way; other gems > have similar issues. > The rails security team has been informed about this. They would be eligible for their own CVE ID if they conclude that this is a security-relevant implementation error in the file-generation process. The CVE below is specific to Juvia, for the issue in which a valid Juvia::Application.config.secret_token value is "shipped" in the product without an installation step in which the value must be changed. > * Juvia "public" secret: > https://github.com/phusion/juvia/blob/master/config/initializers/secret_token.rb > * Juvia issue for this: https://github.com/phusion/juvia/issues/55 Use CVE-2013-7134. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSsPGmAAoJEKllVAevmvms38cH/2MOQkPQcH6E3P/OB6Gb+joD DsqJz+03vWIO++M3JlbEESry7CwhyBJqwzIJUDeMb/zz4AcUR+xnIx0u3gVQzq9k bJF3r3QdVRg0gkQoA8wx1eXaNhPDCRboqXI9Q9FopkvP9r9A5PSQF1QytITI/7b4 TzSqx9VMK3Acp4gGx4DKiQSFJRuFPLm1HWWuvFwg3G3J2/77hAegOs5z6Jo1vbHi VL2A/LTOBE+AHkhvdcBXQmtsLWUnf+cb3HRL6R5Ekt4ke+gWkLlRdau0Mq4YpnWa 5n4GUEmasWLOfVDgblGIrMrbjplPZneGw8VsMXCjIWswQuFaVyyTEmBZD9EXcG4= =qD6C -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ