[Facebooker-talk] Possible Security Hole in Facebooker -- Please Update!
David Clements
digidigo at gmail.com
Tue Feb 24 22:32:42 EST 2009
Does this change simply remove support for multiple adapters?
Dave
On Tue, Feb 24, 2009 at 6:06 PM, vincent chu <vincentchu at gmail.com> wrote:
> Hi all ---
>
> In the course of developing our Facebook connect app, we realized that
> there was a security hole in Facebooker that allows any malicious user to
> change the state of the Facebooker module and crash any controller/view that
> uses Facebooker to capture a Facebook session. For Facebook connect apps,
> this could potentially be in any view that uses the "set_facebook_session"
> before_filter.
>
> All the malicious user has to do is send a malformed HTTP request similar
> to:
>
> http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned
>
> The problem comes in the 'set_adapter' method of
> 'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will
> attempt to load an adapter from the params hash if fb_sig_api_key is in the
> request (ignoring the configuration found in the facebooker.yml file). In
> this case, Facebooker would dutifully set the api_key to "you_are_pwned" and
> any subsequent call to Facebooker would try and use "you_are_pwned" as the
> api_key, causing it to crash the site.
>
> Kevin Lochner's already pushed an update to github, so update to the latest
> commit:
>
> 6a954874369354324d87b2fe09c24db4bd485faf
>
> http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf
>
> Cheers,
>
> Vince
>
> ----
> Vincent Chu
> Department of Applied Physics
> Geballe Laboratory of Advanced Materials
> McCullough Bldg. 318
> 476 Lomita Mall
> Stanford, CA, 94305
>
> Consider this:
> "The smallest positive integer not definable in under eleven words."
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090224/4a96e022/attachment.html>
More information about the Facebooker-talk
mailing list