Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 8 Apr 2020 21:26:07 -0400 (EDT)
From: Stuart D Gathman <>
Subject: Re: [CVE-2019-16782] Possible Information Leak /
 Session Hijack Vulnerability in Rack

On Thu, 9 Apr 2020, Brian May wrote:

>> 1. The attacker could send various bogus session ids, starting with
>> all possible valid bytes. The database, if it uses a trie (yes,
>> strawman example - is it used by any real-world database?) as a data
>> structure to speed up looking up sessions, will terminate the
>> comparison early on invalid bytes, thus disclosing them.

Not real-world as the number of installations is maybe 6 now, but
the one I wrote removes leading duplicates from index records (replacing
with a dup count).  I believe that timing the lookups could disclose
bytes as described.  It's super efficient, though.  :-)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.