参考资料
Overview
The Ruby on Rails framework allows session information to be stored in various ways.
One of those ways is in a special cookie. If cookies are used, the information is marshalled and an HMAC is generated by signing the cookie with a signing secret. If this secret is known to an attacker they are able to generate a specially crafted cookie which, when unmarshalled by the application server, can cause arbitrary code execution. If authentication is handled by Ruby on Rails the cookie parsing and code execution will happen prior to authentication.
The result is unauthenticated remote code execution. This vulnerability can be used to run a command shell on the application server running with the permissions of the web server user.
Recommendations:
Do not leak the signing secret. we can obtained the signing secret via a path traversal bug, and there are other ways it could leak including being checked into a source control system like github, or incorrect file system permissions. If session information is stored in cookies it is critical that the signing secret is protected.
Rather than cookies, session data can be stored in the database. In this case an HMAC is not generated and the signing secret is not used. Instead the cookie should be a securely generated 128-bit random number that is used to lookup the session in a database running in memory on the server. This is the preferred and securest solution to this issue.
Use the database for sessions
rake db:sessions:create
/rails generate session_migration
rake db:migrate
/rake db:migrate VERSION=20120813055814
config/initializers/session_store.rb
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with "rails generate session_migration")
xxxx::Application.config.session_store :active_record_store
(enable the last line)
restart the server..
mysql> select * from sessions;
+----+----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
| id | session_id | data | created_at | updated_at |
+----+----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
| 5 | 3082d2a590ffaa03e3796415dd3a9172 | BAh7CSIQX2NzcmZfdG9rZW4iMXJCclVmZ1h1ZnpmU2V2bm5oZHFGU1YrMTJC
Zytob3RzejhGSklnZTFvNlU9IgxvcmlfdXJsIipodHRwczovL3FyZC1kbS5x
dWFsY29tbS5jb20vY3Jhc2hsb2dzIgx1c2VyX2lkIg1kb25neW9uZyIKZmxh
c2hJQzolQWN0aW9uRGlzcGF0Y2g6OkZsYXNoOjpGbGFzaEhhc2h7BjoLbm90
aWNlIhdjcmVhdGU6IExvZ2dlZCBpbiEGOgpAdXNlZG86CFNldAY6CkBoYXNo
ewY7BlQ=
| 2013-03-06 17:00:30 | 2013-03-06 17:00:43 |
+----+----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
5 rows in set (0.00 sec)