Re: Issues regarding ruby-rack/CVE-2019-16782

To: Brian May <bam@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, Utkarsh Gupta <guptautkarsh2102@gmail.com>, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Issues regarding ruby-rack/CVE-2019-16782
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 18 Feb 2020 10:12:13 +0100
Message-id: <[🔎] CABY6=0=ZO1mtPDH3cL1h+gT0LwR48OfkxuwSLW3A1MnjVer8bA@mail.gmail.com>
In-reply-to: <[🔎] 87d0acxorm.fsf@silverfish.pri>
References: <5cfc2ed4-5b07-1b2c-5997-4b104e281491@gmail.com> <[🔎] 87wo8vj6nc.fsf@silverfish.pri> <[🔎] CABY6=0mXd6jV1Dpb-X=CUZOpakC1CekGNOvOQK+MYy4ZjZtoUw@mail.gmail.com> <[🔎] 87r1z1k3ux.fsf@silverfish.pri> <[🔎] CABY6=0kovrOPLyRgKOUp-0McC=VpBgawqDMBosjL81qq2on-EA@mail.gmail.com> <[🔎] 87o8u4johh.fsf@silverfish.pri> <[🔎] CABY6=0nTzFzcHfcJkCOafp+HAZ0wiVMKgHQzJS1OzEu0iY-a_g@mail.gmail.com> <[🔎] 87lfp5kbjv.fsf@silverfish.pri> <[🔎] CABY6=0krVCyAwf=M0njTNbCW_Lj5JeeNK1Aksnj8VZJ52_GJjA@mail.gmail.com> <[🔎] 87d0acxorm.fsf@silverfish.pri>

Precisely. This is why I was asking about the length of the session id used. With the length we can estimate how many times an attacker my try to find all possible values.

If this is small enough (and the attacker is close enough) it can be exploited. But if the session key is really large, then there is no way that this can be done in practice even with ears of tries.

// Ola

On Tue, 18 Feb 2020 at 09:50, Brian May <bam@debian.org> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use of this. Or have I
> misunderstood something?

I suspect you are mostly correct.

However how many people would really notice if an attacker made numerous
connections to their website in attempt to exploit this?
--
Brian May <bam@debian.org>

--- Inguza Technology AB --- MSc in Information Technology ----

| ola@inguza.com opal@debian.org |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Issues regarding ruby-rack/CVE-2019-16782
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Issues regarding ruby-rack/CVE-2019-16782
Next by Date: Re: Issues regarding ruby-rack/CVE-2019-16782
Previous by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Next by thread: Re: Issues regarding ruby-rack/CVE-2019-16782
Index(es):
- Date
- Thread