[Facebooker-talk] Possible Security Hole in Facebooker -- Please Update!
David Clements
digidigo at gmail.com
Wed Feb 25 13:10:39 EST 2009
Cool thanks for taking a look. Looks like I can just add a condition to
that call
if request_comes_from_facebook?
I'll try to get to it later today.
Dave
On 2/25/09, vincent chu <vincentchu at gmail.com> wrote:
>
> Hi David ---
>
> I took a look at your fix. Though I'm somewhat unfamiliar with exactly what
> you want to do, I think it would be prudent to validate that the incoming
> params hash actually originates from facebook before using the parameters to
> reset the adapter. This way, you never touch the adapter until you're sure
> that it's Facebook sending the request, and not some malicious actor.
>
> Cheers,
>
> Vince
> ----
> Vincent Chu
> Department of Applied Physics
> Geballe Laboratory of Advanced Materials
> McCullough Bldg. 318
> 476 Lomita Mall
> Stanford, CA, 94305
>
>
> Consider this:
> "The smallest positive integer not definable in under eleven words."
>
>
> On Wed, Feb 25, 2009 at 9:02 AM, kevin lochner <klochner at gmail.com> wrote:
>
>> I was short on time and unfamiliar with the code when I put the fix in,
>> which is why I went with the nuclear option of removing the before filter.
>> I was a little surprised to see all tests passing with the before filter
>> removed.
>> In addition to user-verification of the fix, we could use a test breaking
>> the old version and working under david's new patch. Unfortunately I'm low
>> on spare cycles . . .
>>
>> - kevin
>>
>>
>> On Feb 25, 2009, at 11:00 AM, David Clements wrote:
>>
>> In case it got lost in my grumpiness last night.
>>
>> The patch to fix this issue simply turned off adapter support. Is that
>> correct?
>>
>> I sent a pull request from my fork
>> http://github.com/digidigo/facebooker/tree/master which should fix the
>> issue and preserve the behavior. If anyone is using Facebooker to run
>> multiple apps or Bebo it would be great if you could check it out and make
>> sure that it didn't break.
>>
>> Thanks,
>>
>> Dave
>>
>> On 2/24/09, vincent chu <vincentchu at gmail.com> wrote:
>>>
>>> Hi all ---
>>>
>>> In the course of developing our Facebook connect app, we realized that
>>> there was a security hole in Facebooker that allows any malicious user to
>>> change the state of the Facebooker module and crash any controller/view that
>>> uses Facebooker to capture a Facebook session. For Facebook connect apps,
>>> this could potentially be in any view that uses the "set_facebook_session"
>>> before_filter.
>>>
>>> All the malicious user has to do is send a malformed HTTP request similar
>>> to:
>>>
>>> http://my.rails.app.com/some_controller/?fb_sig_api_key=you_are_pwned
>>>
>>> The problem comes in the 'set_adapter' method of
>>> 'facebooker/lib/facebooker/rails/controller.rb' where Facebooker will
>>> attempt to load an adapter from the params hash if fb_sig_api_key is in the
>>> request (ignoring the configuration found in the facebooker.yml file). In
>>> this case, Facebooker would dutifully set the api_key to "you_are_pwned" and
>>> any subsequent call to Facebooker would try and use "you_are_pwned" as the
>>> api_key, causing it to crash the site.
>>>
>>> Kevin Lochner's already pushed an update to github, so update to the
>>> latest commit:
>>>
>>> 6a954874369354324d87b2fe09c24db4bd485faf
>>>
>>> http://github.com/mmangino/facebooker/commit/6a954874369354324d87b2fe09c24db4bd485faf
>>>
>>> Cheers,
>>>
>>> Vince
>>>
>>> ----
>>> Vincent Chu
>>> Department of Applied Physics
>>> Geballe Laboratory of Advanced Materials
>>> McCullough Bldg. 318
>>> 476 Lomita Mall
>>> Stanford, CA, 94305
>>>
>>> Consider this:
>>> "The smallest positive integer not definable in under eleven words."
>>>
>>> _______________________________________________
>>> Facebooker-talk mailing list
>>> Facebooker-talk at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>>
>>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/facebooker-talk/attachments/20090225/178641f7/attachment.html>
More information about the Facebooker-talk
mailing list