Closed Linutux closed 11 years ago
If you read the code, you'll notice that there is no hard coded value for the 'secret token' in that file.
In test envs this is automatically generated, in production it's contained in a non-git commited config file.
Closing as incorrect.
Thank you for mentioning it though!
I'm sorry, I confused two git repos. I had two browser tabs with the same file open and that's what happened. I'm sorry!
But nevertheless it could be of interest for others, who also have rails apps on Github.
No worries :). Sorry if I sounded short, I was typing it from a phone.
Also, interestingly enough, when I saw that blog post that you referenced and Googled for 'secret_token.rb' on github... This repo was one of the first to come up. I was happy to see that it wasn't truly vulnerable :).
Your git repo contains /config/initializers/secret_token.rb. This file is used to encrypt cookies. If someone knows this secret, he could pretend to be UID=1 (Admin) and could break into any system running the bare rstat.us-Git-repo. More info: http://www.phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html Workaround: Remove the file and provide an example file with a different secret than the one used on rstat.us