[Facebooker-talk] Possible Security Hole in Facebooker -- Please Update!
kevin lochner
klochner at gmail.com
Wed Feb 25 12:02:44 EST 2009
I was short on time and unfamiliar with the code when I put the fix
in, which is why I went with the nuclear option of removing the before
filter. I was a little surprised to see all tests passing with the
before filter removed.
In addition to user-verification of the fix, we could use a test
breaking the old version and working under david's new patch.
Unfortunately I'm low on spare cycles . . .
- kevin
On Feb 25, 2009, at 11:00 AM, David Clements wrote:
> In case it got lost in my grumpiness last night.
>
> The patch to fix this issue simply turned off adapter support. Is
> that correct?
>
> I sent a pull request from my fork http://github.com/digidigo/facebooker/tree/master
> which should fix the issue and preserve the behavior. If anyone
> is using Facebooker to run multiple apps or Bebo it would be great
> if you could check it out and make sure that it didn't break.
>
> Thanks,
>
> Dave
>
> On 2/24/09, vincent chu <vincentchu at gmail.com> wrote:
> Hi all ---
>
> In the course of developing our Facebook connect app, we realized
> that there was a security hole in Facebooker that allows any
> malicious user to change the state of the Facebooker module and
> crash any controller/view that uses Facebooker to capture a Facebook
> session. For Facebook connect apps, this could potentially be in any
> view that uses the "set_facebook_session" before_filter.
>
> All the malicious user has to do is send a malformed HTTP request
> similar to:
>
> http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned
>
> The problem comes in the 'set_adapter' method of 'facebooker/lib/
> facebooker/rails/controller.rb' where Facebooker will attempt to
> load an adapter from the params hash if fb_sig_api_key is in the
> request (ignoring the configuration found in the facebooker.yml
> file). In this case, Facebooker would dutifully set the api_key to
> "you_are_pwned" and any subsequent call to Facebooker would try and
> use "you_are_pwned" as the api_key, causing it to crash the site.
>
> Kevin Lochner's already pushed an update to github, so update to the
> latest commit:
>
> 6a954874369354324d87b2fe09c24db4bd485faf
> http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf
>
> Cheers,
>
> Vince
>
> ----
> Vincent Chu
> Department of Applied Physics
> Geballe Laboratory of Advanced Materials
> McCullough Bldg. 318
> 476 Lomita Mall
> Stanford, CA, 94305
>
> Consider this:
> "The smallest positive integer not definable in under eleven words."
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090225/f19d7831/attachment-0001.html>
More information about the Facebooker-talk
mailing list