[Facebooker-talk] Possible Security Hole in Facebooker -- Please Update!

Wed Feb 25 10:55:42 EST 2009

Sorry I was a little grumpy last night,  probably since I created the
security issue in the first place.

Not sure if I missed something like this but it would have helped me get on
top of it sooner if there was an email simply stating that there was a
security fix in the main branch.  Getting the email with the steps to
reproduce made it feel much more urgent to me.

This kinda hand holding is probably more important to me since I am
maintaining Facebook sites and not as active in development currently.  So I
am not watching what is going on in the branch.

What I should have said was,   Thanks for finding this and fixing it.  Sorry
about that.

Dave

On 2/25/09, Mike Mangino <mmangino at elevatedrails.com> wrote:
>
> How would you recommend this be handled? Vincent reported the issue
> privately last week and waited to publicly report it until a fix was in the
> main branch. It was my call to report it publicly now. Is there some way we
> can do this better?
> Mike
>
> On Feb 25, 2009, at 12:31 AM, David Clements wrote:
>
> I forked the repo and fixed this issue without removing the functionality.
>
> I sent a pull request from
>
> http://github.com/digidigo/facebooker/tree/master
>
> In the future I would appreciate a little more discretion around security
> issues.  Publicizing it in this way required me to fix it immediately on my
> production environment rather than being able to wait for morning.
>
> Dave
>
> On 2/24/09, David Clements <digidigo at gmail.com> wrote:
>>
>> Does this change simply remove support for multiple adapters?
>>
>> Dave
>>
>>
>>
>> On Tue, Feb 24, 2009 at 6:06 PM, vincent chu <vincentchu at gmail.com>wrote:
>>
>>> Hi all ---
>>>
>>> In the course of developing our Facebook connect app, we realized that
>>> there was a  security hole in Facebooker that allows any malicious user to
>>> change the state of the Facebooker module and crash any controller/view that
>>> uses Facebooker to capture a Facebook session. For Facebook connect apps,
>>> this could potentially be in any view that uses the "set_facebook_session"
>>> before_filter.
>>>
>>> All the malicious user has to do is send a malformed HTTP request similar
>>> to:
>>>
>>> http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned
>>>
>>> The problem comes in the 'set_adapter' method of
>>> 'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will
>>> attempt to load an adapter from the params hash if fb_sig_api_key is in the
>>> request (ignoring the configuration found in the facebooker.yml file). In
>>> this case, Facebooker would dutifully set the api_key to "you_are_pwned" and
>>> any subsequent call to Facebooker would try and use "you_are_pwned" as the
>>> api_key, causing it to crash the site.
>>>
>>> Kevin Lochner's already pushed an update to github, so update to the
>>> latest commit:
>>>
>>> 6a954874369354324d87b2fe09c24db4bd485faf
>>>
>>> http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf
>>>
>>> Cheers,
>>>
>>> Vince
>>>
>>> ----
>>> Vincent Chu
>>> Department of Applied Physics
>>> Geballe Laboratory of Advanced Materials
>>> McCullough Bldg. 318
>>> 476 Lomita Mall
>>> Stanford, CA, 94305
>>>
>>> Consider this:
>>> "The smallest positive integer not definable in under eleven words."
>>>
>>> _______________________________________________
>>> Facebooker-talk mailing list
>>> Facebooker-talk at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>>
>>>
>>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
>  --
> Mike Mangino
> http://www.elevatedrails.com
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090225/497ce083/attachment.html>