[Facebooker-talk] Possible Security Hole in Facebooker -- Please Update!
vincent chu
vincentchu at gmail.com
Tue Feb 24 20:06:55 EST 2009
Hi all ---
In the course of developing our Facebook connect app, we realized that there
was a security hole in Facebooker that allows any malicious user to change
the state of the Facebooker module and crash any controller/view that uses
Facebooker to capture a Facebook session. For Facebook connect apps, this
could potentially be in any view that uses the "set_facebook_session"
before_filter.
All the malicious user has to do is send a malformed HTTP request similar
to:
http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned
The problem comes in the 'set_adapter' method of
'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will
attempt to load an adapter from the params hash if fb_sig_api_key is in the
request (ignoring the configuration found in the facebooker.yml file). In
this case, Facebooker would dutifully set the api_key to "you_are_pwned" and
any subsequent call to Facebooker would try and use "you_are_pwned" as the
api_key, causing it to crash the site.
Kevin Lochner's already pushed an update to github, so update to the latest
commit:
6a954874369354324d87b2fe09c24db4bd485faf
http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf
Cheers,
Vince
----
Vincent Chu
Department of Applied Physics
Geballe Laboratory of Advanced Materials
McCullough Bldg. 318
476 Lomita Mall
Stanford, CA, 94305
Consider this:
"The smallest positive integer not definable in under eleven words."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090224/97f76ad6/attachment.html>
More information about the Facebooker-talk
mailing list