Hi all ---<br><br>In the course of developing our Facebook connect app, we realized that there was a security hole in Facebooker that allows any malicious user to change the state of the Facebooker module and crash any controller/view that uses Facebooker to capture a Facebook session. For Facebook connect apps, this could potentially be in any view that uses the "set_facebook_session" before_filter.<br>
<br>All the malicious user has to do is send a malformed HTTP request similar to:<br><br><a href="http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned">http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned</a><br>
<br>The problem comes in the 'set_adapter' method of 'facebooker/lib/facebooker/rails/controller.rb'
where Facebooker will attempt to load an adapter from the params hash
if fb_sig_api_key is in the request (ignoring the configuration found in the facebooker.yml file). In this case, Facebooker would dutifully set the api_key to "you_are_pwned" and any subsequent call to Facebooker would try and use "you_are_pwned" as the api_key, causing it to crash the site. <br>
<br>Kevin Lochner's already pushed an update to github, so update to the latest commit:<br><br>6a954874369354324d87b2fe09c24db4bd485faf<br><a href="http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf">http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf</a><br clear="all">
<br>Cheers,<br><br>Vince<br><br>----<br>Vincent Chu<br>Department of Applied Physics<br>Geballe Laboratory of Advanced Materials<br>McCullough Bldg. 318<br>476 Lomita Mall<br>Stanford, CA, 94305<br><br>Consider this:<br>"The smallest positive integer not definable in under eleven words."<br>