'[BMSA-2011-01] Insecure secure cookie in web.go'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [BMSA-2011-01] Insecure secure cookie in web.go
From:       Nam Nguyen <namn () bluemoon ! com ! vn>
Date:       2011-02-25 9:27:00
Message-ID: 20110225162700.03154082.namn () bluemoon ! com ! vn
[Download RAW message or body]


BLUE MOON SECURITY ADVISORY 2011-01
===================================


> Title: Insecure secure cookie in web.go
> Severity: Low
> Reporter: Blue Moon Consulting
> Products: web.go
> Fixed in: --


Description
-----------

web.go is the simplest way to write web applications in the Go programming language. \
It's ideal for writing simple, performant backend web services.

web.go's secure cookie is modeled after Tornado. It suffers the same vulnerability \
that was documented in `BMSA 2010-01 \
<http://www.bluemoon.com.vn/advisories/bmsa201001.html>`_.

This vulnerability is rated at low severity due to situational exploiting conditions.

Workaround
----------

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 \
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

> Initial vendor contact:

  November 19, 2010: Notice sent to Michael Hoisie.

> Vendor response:

  November 20, 2010: Michael replied confirming the bug and promising to update it.

> Further communication:

  January 12, 2011: Quick ping sent to Michael to ask for an estimated time of a fix \
and coordinate an announcement on January 17.  
> Public disclosure: February 25, 2011

> Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any \
kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or \
implied, including the warranties of merchantability and fitness for a particular \
purpose. Your use of the information on the advisory or materials linked from the \
advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to \
change or update this notice at any time.


[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic