[Secure-testing-team] Bug#728871: fookebox: bogus secret value in config

Jonas Smedegaard Wed, 06 Nov 2013 04:06:55 -0800

Package: fookebox
Version: 0.6.1-2
Severity: grave
Tags: security
Justification: user security hole


Default config installed as /etc/fookebox/config.ini contains this line:

  beaker.session.secret = somesecret

According to [Pylons documentation] that secret "should be a secret,
ideally randomly generated value on production environments."


 - Jonas


[Pylons documentation]: 
http://docs.pylonsproject.org/projects/pylons-webframework/en/latest/sessions.html

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

[Secure-testing-team] Bug#728871: fookebox: bogus secret value in config

Reply via email to