web2py is vulnerable ?

132 views
Skip to first unread message

samuel bonill

unread,
Nov 29, 2013, 11:31:28 AM11/29/13
to web...@googlegroups.com
there are known vulnerabilities regarding session management in ruby on rails and django .... how protects web2py of such attacks

LINK: http://thehackernews.com/2013/11/thousands-of-websites-based-on-ruby-on_29.html

Massimo Di Pierro

unread,
Nov 29, 2013, 1:11:28 PM11/29/13
to web...@googlegroups.com
If I understand this post there are two issue (in RoR) which conspire to create the problem:
1) session cookies can be stolen
2) session cookies remain valid after logout.

The attack does not apply to web2py because 2) does not apply.
Web2py since 2.7.x reissues session cookies when users sign in. That means that an attacker who steals a session cookie after the legitimate user signs out, cannot use it sign in.

Of course 1) still stands and session cookies can be stolen. Which means that an attacker who steals a session cookie can sign in while the legitimate user is also signed in. This can be preventing by forcing ssh.

I think we are fine.

Massimo

samuel bonill

unread,
Nov 29, 2013, 6:11:39 PM11/29/13
to web...@googlegroups.com
thanks Massimo....


2013/11/29 Massimo Di Pierro <massimo....@gmail.com>

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/_i231zhmhRM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Michele Comitini

unread,
Nov 29, 2013, 7:06:25 PM11/29/13
to web...@googlegroups.com
@Massimo

Of course 1) still stands and session cookies can be stolen. Which means that an attacker who steals a session cookie can sign in while the legitimate user is also signed in. This can be preventing by forcing ssh.

ssh?



2013/11/30 samuel bonill <pytho...@gmail.com>
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.

Anthony

unread,
Nov 29, 2013, 9:57:24 PM11/29/13
to web...@googlegroups.com
I think he meant SSL.

Massimo Di Pierro

unread,
Nov 29, 2013, 10:22:26 PM11/29/13
to web...@googlegroups.com
yes sorry

On Friday, 29 November 2013 20:57:24 UTC-6, Anthony wrote:
I think he meant SSL.

Michele Comitini

unread,
Nov 30, 2013, 3:15:46 AM11/30/13
to web...@googlegroups.com
OK that makes sense ;-)
After all even ssh could be used for making a secure communication channel...


2013/11/30 Massimo Di Pierro <massimo....@gmail.com>
yes sorry


On Friday, 29 November 2013 20:57:24 UTC-6, Anthony wrote:
I think he meant SSL.

--
Reply all
Reply to author
Forward
0 new messages