Re: What happens when secret key is lost?
On 2014-05-21 16:44, Erik Romijn wrote: > > Could you elaborate on how such remote-code execution would > > happen? > > If you use Django's cookie-based sessions[1], knowledge of the > SECRET_KEY allows an attacker to forge a cookie with session data. > Forging sessions is bad enough, but if you combine this with > PickleSerializer[2], that escalates to remote code execution: > pickle is flexible but also unsafe: it's fairly simple to fabricate > data that, when unpickled, executes particular Python code. This is > why one must never unpickle data from an untrusted source. I know not to (and don't) use Pickle for that reason, but if Django is using it and trusting the SECRET_KEY to protect it, that makes perfect sense. Thanks! -tkc -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20140521120129.091f9cfd%40bigbox.christie.dr. For more options, visit https://groups.google.com/d/optout.
Re: What happens when secret key is lost?
On 20 May 2014, at 22:27, Tim Chase wrote: >> And yes, it is very important to keep it secret. The worst case >> scenario for secret key leakage, in particular configurations, is >> arbitrary remote code execution. > > Could you elaborate on how such remote-code execution would happen? If you use Django's cookie-based sessions[1], knowledge of the SECRET_KEY allows an attacker to forge a cookie with session data. Forging sessions is bad enough, but if you combine this with PickleSerializer[2], that escalates to remote code execution: pickle is flexible but also unsafe: it's fairly simple to fabricate data that, when unpickled, executes particular Python code. This is why one must never unpickle data from an untrusted source. PickleSerializer was the only option in Django<1.5, default option in Django 1.6, and non-default option in Django 1.7+, for this reason. As far as I know, cookie-backed sessions have never been the default in Django. See my blog[3] for a more extensive description and a proof of concept based on Flask. On 21 May 2014, at 16:03, Henning Sprang wrote: > As of the location where to document it, I stumbled about it in the > "deployment checklist" part of the docs, there was only said it's > important to keep it secret while those further questions kept > unanswered - so when adding more info, you might also put a link on > the deployment pages when working on it anyway. Thanks for the suggestion, that would be useful indeed. cheers, Erik [1] https://docs.djangoproject.com/en/1.6/topics/http/sessions/#using-cookie-based-sessions [2] https://docs.djangoproject.com/en/1.6/topics/http/sessions/#session-serialization [3] http://erik.io/blog/2013/04/26/proof-of-concept-arbitrary-remote-code-execution-pickle-sessions/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/652F9C27-15F3-48BC-930E-E0E5EA766A25%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
Re: What happens when secret key is lost?
Hi Erik, On Tue, May 20, 2014 at 8:34 PM, Erik Romijn wrote: > ... > If it were used for that, that would indeed be the scenario. Fortunately, > it's not. Good to know :) > There is a current ticket open on documenting exactly this question: > https://code.djangoproject.com/ticket/22310. I'd worked through most of it > but somehow lost my changes. Thanks for your explanations - they help a lot! As of the location where to document it, I stumbled about it in the "deployment checklist" part of the docs, there was only said it's important to keep it secret while those further questions kept unanswered - so when adding more info, you might also put a link on the deployment pages when working on it anyway. Let me know if you need help, e.g. proof-reading through what you will put in the docs. Thanks&Cheers, Henning -- Henning Sprang http://www.sprang.de -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAB10%2BLshtW0XfykqR5nUQ_ir-OwkCtdR2TKfox2e3PSR1Hf_qQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: What happens when secret key is lost?
Den 20/05/2014 kl. 20.40 skrev Henning Sprang : > Also, if it should be kept secret, I guess it's safe to assume that > using an online generator like > https://djskgen.herokuapp.com/ is not the smartest idea one can come > up with, right? You can use any random string, but you could also install django_extensions and do: ./manage.py generate_secret_key Erik -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/3BDD0ED7-0FCC-41CE-AF0C-DE558AB9E024%40cederstrand.dk. For more options, visit https://groups.google.com/d/optout.
Re: What happens when secret key is lost?
On 2014-05-20 21:34, Erik Romijn wrote: > > The question is, what happens when I lose it - when it's used for > > password hash salt, doesn't that mean if it's lost, all users > > have to reset their password, don't they? > > If it were used for that, that would indeed be the scenario. > Fortunately, it's not. > > There is a current ticket open on documenting exactly this > question: https://code.djangoproject.com/ticket/22310. I'd worked > through most of it but somehow lost my changes. > > From memory, and without review by a second pair of eyes, I believe > the effects are limited to: > - All currently existing sessions are invalidated. > - All password reset tokens are invalidated. > - All form previews in progress require an additional confirmation. > - All form wizards in progress are reset, and if using the cookie > backend for form wizards, this may lead to exceptions. > > Also, any third party packages or any of your own code that uses > the secret key may be affected. Notably not affected (in Django > itself) are user passwords, and general content in the database. Thanks for the concise summary. I've researched this on my own in the past enough to know that passwords weren't impacted, and session tokens were invalid, but the others didn't register to me when I grepped the code-base. > And yes, it is very important to keep it secret. The worst case > scenario for secret key leakage, in particular configurations, is > arbitrary remote code execution. Could you elaborate on how such remote-code execution would happen? Thanks, -Tim -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20140520152727.754c92c2%40bigbox.christie.dr. For more options, visit https://groups.google.com/d/optout.
Re: What happens when secret key is lost?
Hello Henning, On 20 May 2014, at 20:40, Henning Sprang wrote: > The question is, what happens when I lose it - when it's used for > password hash salt, doesn't that mean if it's lost, all users have to > reset their password, don't they? If it were used for that, that would indeed be the scenario. Fortunately, it's not. There is a current ticket open on documenting exactly this question: https://code.djangoproject.com/ticket/22310. I'd worked through most of it but somehow lost my changes. >From memory, and without review by a second pair of eyes, I believe the >effects are limited to: - All currently existing sessions are invalidated. - All password reset tokens are invalidated. - All form previews in progress require an additional confirmation. - All form wizards in progress are reset, and if using the cookie backend for form wizards, this may lead to exceptions. Also, any third party packages or any of your own code that uses the secret key may be affected. Notably not affected (in Django itself) are user passwords, and general content in the database. > Also, if it should be kept secret, I guess it's safe to assume that > using an online generator like > https://djskgen.herokuapp.com/ is not the smartest idea one can come > up with, right? I would not recommend using such a service. Although it's probably not malicious, there is no reason to use this either. Remember also that the secret key has no particular format. Any random string, e.g. one that you may get from a password manager, can be used. And yes, it is very important to keep it secret. The worst case scenario for secret key leakage, in particular configurations, is arbitrary remote code execution. cheers, Erik -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/85EEF3AC-9BEB-41F8-AD31-C6BF3D3FFFD7%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
What happens when secret key is lost?
Hi, I developed quite a bit in Django already, but only now I am the first time responsible for putting something into real production use. So I work through the deployment checklist, and it says the secret key must be kept super secret. One example shows how to set it as environment variable. The question is, what happens when I lose it - when it's used for password hash salt, doesn't that mean if it's lost, all users have to reset their password, don't they? Also, if it should be kept secret, I guess it's safe to assume that using an online generator like https://djskgen.herokuapp.com/ is not the smartest idea one can come up with, right? Cheers and thanks in advance, Henning -- Henning Sprang http://www.sprang.de -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAB10%2BLttXyVO8NRJ3S4jG82_c_cOK2po9EoQmRj1hbOA029q7Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
