[BMSA-2011-01] Insecure secure cookie in web.go

看板Bugtraq作者時間15年前 (2011/02/26 03:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
--Signature=_Fri__25_Feb_2011_16_27_00_+0700_DBj2LqhWq7yCJutF Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable BLUE MOON SECURITY ADVISORY 2011-01 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D :Title: Insecure secure cookie in web.go :Severity: Low :Reporter: Blue Moon Consulting :Products: web.go :Fixed in: -- Description ----------- web.go is the simplest way to write web applications in the Go programming = language. It's ideal for writing simple, performant backend web services. web.go's secure cookie is modeled after Tornado. It suffers the same vulner= ability that was documented in `BMSA 2010-01 <http://www.bluemoon.com.vn/ad= visories/bmsa201001.html>`_. This vulnerability is rated at low severity due to situational exploiting c= onditions. Workaround ---------- There is no workaround. Fix --- There is no fix at the moment. Disclosure ---------- Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/pol= icy.html>`_ in notifying vendors. :Initial vendor contact: November 19, 2010: Notice sent to Michael Hoisie. :Vendor response: November 20, 2010: Michael replied confirming the bug and promising to up= date it. :Further communication: January 12, 2011: Quick ping sent to Michael to ask for an estimated time= of a fix and coordinate an announcement on January 17. =20 :Public disclosure: February 25, 2011 :Exploit code: No exploit code required. Disclaimer ---------- The information provided in this advisory is provided "as is" without warra= nty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, ei= ther express or implied, including the warranties of merchantability and fi= tness for a particular purpose. Your use of the information on the advisory= or materials linked from the advisory is at your own risk. Blue Moon Consu= lting Co., Ltd reserves the right to change or update this notice at any ti= me. --Signature=_Fri__25_Feb_2011_16_27_00_+0700_DBj2LqhWq7yCJutF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAk1ndeQACgkQbKzcTD214ZcyYACfXXG1fxhs23VDU1vNp9qKI2tc 3RIAnAtjqoGuEwWgGjV+r8gRcs7chSie =0hB0 -----END PGP SIGNATURE----- --Signature=_Fri__25_Feb_2011_16_27_00_+0700_DBj2LqhWq7yCJutF--
文章代碼(AID): #1DP_nloP (Bugtraq)