oss-sec mailing list archives
Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack
From: "Stuart D. Gathman" <stuart () gathman org>
Date: Wed, 18 Dec 2019 23:09:40 -0500
On Thu, 2019-12-19 at 00:33 +0500, Alexander E. Patrakov wrote:
The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.I don't understand why this is reported as something Rack-specific. On the other hand, I don't see how a timing attack would be possible on the most common data structures (B-Tree and Hash) used for database indexes.
My B-tree uses minimum unique key with leading duplicates not stored for all but the leaf nodes - so it would also (eventually - there is so much noise in the timing measurement) give away the key via timing attacks. I had not thought of that angle, and I hope I remember this the next time I am reinventing session ids. Now I'm also wondering about other libraries that manage session ids. Java servlets in Apache Tomcat?
Current thread:
- [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Aaron Patterson (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Stuart D. Gathman (Dec 19)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)