[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issues regarding ruby-rack/CVE-2019-16782


Precisely. This is why I was asking about the length of the session id used. With the length we can estimate how many times an attacker my try to find all possible values.
If this is small enough (and the attacker is close enough) it can be exploited. But if the session key is really large, then there is no way that this can be done in practice even with ears of tries.

// Ola

On Tue, 18 Feb 2020 at 09:50, Brian May <bam@debian.org> wrote:
Ola Lundqvist <ola@inguza.com> writes:

> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use of this. Or have I
> misunderstood something?

I suspect you are mostly correct.

However how many people would really notice if an attacker made numerous
connections to their website in attempt to exploit this?
Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: