Security Bug - Githubissues

oceanobservatories / ooi-ui-services

Ocean Observatories Initiative - User Interface Services for CI Integration

Apache License 2.0

3 stars 13 forks source link

Security Bug #336

Open lukecampbell opened 9 years ago

lukecampbell commented 9 years ago

https://github.com/asascience-open/ooi-ui-services/blob/84b8fbb83e1eda8953a341c6492a3acdca70413b/ooiservices/app/models.py#L1088-L1090

I played around with this, and if the application secret key is discovered or leaked then it's possible for arbitrary user escalation. If you encode the token using some secure salt then it will limit the ability for privilege escalation.

lukecampbell commented 9 years ago

Here's proof, if I find out the application secret key, I can pretend log in as anyone by generating a token:

from itsdangerous import TimedJSONWebSignatureSerializer as Serializer

admin_user_id = 1
s = Serializer(exposed_key, expires_in=3600 * 24)
token = s.dumps({"id":admin_user_id})

DanielJMaher commented 8 years ago

@lukecampbell So is this really something we need to work with or is this a "Hey Rutgers, don't let people know the secret key!"

lukecampbell commented 8 years ago

Rotating the secret keys, is a start.