[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [BMSA-2011-01] Insecure secure cookie in web.go
From: Nam Nguyen <namn () bluemoon ! com ! vn>
Date: 2011-02-25 9:27:00
Message-ID: 20110225162700.03154082.namn () bluemoon ! com ! vn
[Download RAW message or body]
BLUE MOON SECURITY ADVISORY 2011-01
===================================
> Title: Insecure secure cookie in web.go
> Severity: Low
> Reporter: Blue Moon Consulting
> Products: web.go
> Fixed in: --
Description
-----------
web.go is the simplest way to write web applications in the Go programming language. \
It's ideal for writing simple, performant backend web services.
web.go's secure cookie is modeled after Tornado. It suffers the same vulnerability \
that was documented in `BMSA 2010-01 \
<http://www.bluemoon.com.vn/advisories/bmsa201001.html>`_.
This vulnerability is rated at low severity due to situational exploiting conditions.
Workaround
----------
There is no workaround.
Fix
---
There is no fix at the moment.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0 \
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
> Initial vendor contact:
November 19, 2010: Notice sent to Michael Hoisie.
> Vendor response:
November 20, 2010: Michael replied confirming the bug and promising to update it.
> Further communication:
January 12, 2011: Quick ping sent to Michael to ask for an estimated time of a fix \
and coordinate an announcement on January 17.
> Public disclosure: February 25, 2011
> Exploit code:
No exploit code required.
Disclaimer
----------
The information provided in this advisory is provided "as is" without warranty of any \
kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or \
implied, including the warranties of merchantability and fitness for a particular \
purpose. Your use of the information on the advisory or materials linked from the \
advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to \
change or update this notice at any time.
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic