Date: Wed, 18 Dec 2019 23:09:40 -0500 From: "Stuart D. Gathman" <stuart@...hman.org> To: oss-security@...ts.openwall.com Subject: Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack On Thu, 2019-12-19 at 00:33 +0500, Alexander E. Patrakov wrote: > > > The session id itself may be generated randomly, but the way the > > session is indexed by the backing store does not use a secure > > comparison. > > I don't understand why this is reported as something Rack-specific. > > On the other hand, I don't see how a timing attack would be possible > on the most common data structures (B-Tree and Hash) used for > database indexes. My B-tree uses minimum unique key with leading duplicates not stored for all but the leaf nodes - so it would also (eventually - there is so much noise in the timing measurement) give away the key via timing attacks. I had not thought of that angle, and I hope I remember this the next time I am reinventing session ids. Now I'm also wondering about other libraries that manage session ids. Java servlets in Apache Tomcat?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.