Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[BMSA-2011-01] Insecure secure cookie in web.go
From: Nam Nguyen <namn () bluemoon com vn>
Date: Fri, 25 Feb 2011 16:27:00 +0700

BLUE MOON SECURITY ADVISORY 2011-01
===================================


:Title: Insecure secure cookie in web.go
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: web.go
:Fixed in: --


Description
-----------

web.go is the simplest way to write web applications in the Go programming language. It's ideal for writing simple, 
performant backend web services.

web.go's secure cookie is modeled after Tornado. It suffers the same vulnerability that was documented in `BMSA 2010-01 
<http://www.bluemoon.com.vn/advisories/bmsa201001.html>`_.

This vulnerability is rated at low severity due to situational exploiting conditions.

Workaround
----------

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  November 19, 2010: Notice sent to Michael Hoisie.

:Vendor response:

  November 20, 2010: Michael replied confirming the bug and promising to update it.

:Further communication:

  January 12, 2011: Quick ping sent to Michael to ask for an estimated time of a fix and coordinate an announcement on 
January 17.
  
:Public disclosure: February 25, 2011

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., 
Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a 
particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own 
risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [BMSA-2011-01] Insecure secure cookie in web.go Nam Nguyen (Feb 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]