Hi everybody,
You probably noticed, that there was released new version of Ruby on
Rails fixing CVE-2012-5664 vulnerability. The details how to exploit
this vulnerability are very well described at Phusion's blog [1].
However, what is more important is, that since your application secret
token is not that secret, i.e. it is published on github [2], cookies of
Aeolus could be faked [3]. Katello seems to do better in this area [4]
(although it was just quick look into code, not security audit :)).
Please consider narrowing this situation.
Thank you
Vít
[1]
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
[2]
https://github.com/aeolusproject/conductor/blob/master/src/config/initializers/secret_token.rb#L23
[3]
http://biggestfool.tumblr.com/post/24049554541/reminder-secret-token-rb-is-named-so-for-a-reason
[4]
https://github.com/Katello/katello/blob/master/src/config/initializers/secret_token.rb
- ActiveRecord SQL injection and secret_token.rb Vít Ondruch
-
