Camping 2.0 - What's left?

Bluebie, Jenna blueberry at creativepony.com
Sun May 25 20:23:31 EDT 2008 

On 26/05/2008, at 10:18 AM, Aníbal Rojas wrote:

> Agreed all the previous stuff...
>
>> The reason nobody can ever spoof a session is that they can never  
>> generate
>> the needed hash because they don't have the @@state_secret piece of  
>> text
>> needed to do so, hopefully! This presents a challenge for open  
>> source. We
>> really need to raise an error if anyone tries to use CookieSessions  
>> without
>> setting the @state_secret to something other than nil or "". Maybe  
>> one good
>
> I don't think raising a error is _required_, filling the log with a
> meaningful message / advice should be enough.
>
>> solution is to add logic to CookieSessions so that if it is run  
>> without a
>> @@state_secret supplied, it creates a file containing the  
>> state_secret,
>> filling it with totally random characters. This too is a terrible  
>> security
>> risk though, as the camping app may be being run in a webserver  
>> like apache
>> or lighttpd, and that state_secret file generated may be readable  
>> by the web
>> server. If an attacker can simply download a file telling them the  
>> state
>> secret, it's game over. The only sensible default I could think of  
>> was the
>> source code to the application itself, still problematic for open  
>> source,
>> but would allow people to build apps without specifying an  
>> @state_secret and
>
> Interesting idea.
>
>> have a unique value used anyway. As they change the source code  
>> during
>> development, they would be repeatedly signed out. I couldn't figure  
>> out a
>
> I think it would be more a annoyance than a real trouble for the  
> users.
> The Web in intrinsecally broken.
>
>> way to do this well with the current release of camping.
>
> For you idea of using the source cod (I think it could be more than
> enough) I think anotehr variations could be:
>
> - Using a directory listing of the app.
> - The value of a environment variable (
> - The timestamp (or something derived) of the folder containing the  
> app.
> - The path where the app is intalled
> - etc

I don't like any of these, it has to be something a remote attacker  
cannot find out the value to. Remote attacker could potentially get a  
directory listing, guess the value of an environment variable, find  
out the timestamp from a webserver's directory listing, and guess the  
path the app is installed to. The secret HAS to be a secret, it can't  
be something anyone else has any chance of guessing or finding out  
remotely.

>
>
> -- 
> Aníbal
>
>
>>
>>>> Jenna
>>
>> On 26/05/2008, at 7:45 AM, Aria Stewart wrote:
>>
>>> On Sat, 2008-05-24 at 22:43 -0500, _why wrote:
>>>>
>>>> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>>>>>
>>>>> * The cookie session is named Camping::Session and is placed in
>>>>> camping/session.rb. Maybe this should be called  
>>>>> Camping::CookieSession
>>>>> or???
>>>>
>>>> You know, these cookie sessions seem like they could be a problem.
>>>> A lot of sessions would contain just the hash and the user name.
>>>> So, spoof the user name and you're in, you know?
>>>
>>> Agreed, without an HMAC signature.
>>>
>>> _______________________________________________
>>> Camping-list mailing list
>>> Camping-list at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/camping-list
>>
>> _______________________________________________
>> Camping-list mailing list
>> Camping-list at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/camping-list
>>
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list

More information about the Camping-list mailing list