Showing posts with label aiohttp-session. Show all posts
Showing posts with label aiohttp-session. Show all posts

Thursday, January 17, 2019

[CVE-2018-1000814] Session reuse on aiohttp-session prior to 2.7.0

On Oct 08 2018 a session reuse vulnerability was discovered (and disclosed in aiohttp-session#325) in aiohttp-session that falls under CWE-287 (Improper Authentication) and is caused by the library's reliance on Storage technology for data expiration.

Due to this reliance storage backends with inherent expiry like Redis or Memcached were not vulnerable. On backends that solely rely on cookie storage for information storage, like EncryptedCookieStorage and NaClCookieStorage, however it is possible for a malicious client to re-create a cookie with the same session data. This effectively provides infinite lifetime sessions, thus defeating the purpose of session expiry which is to minimize the attack window on the most vulnerable part of an application's authentication, that is the session transfer.

On Oct 13 2018 the vulnerability was patched with aiohttp-session#331 and aiohttp-session v2.7.0 was released.

Finally on Dec 20 2018 this vulnerability was assigned CVE-2018-1000814.

Side effects

The applied patch of #331 does have some side effects. The patch breaks an implicit behavior of the library to create 'idle sessions'. So if you are not using one of the vulnerable backends and are utilizing aiohttp-session for idle sessions your best bet is to freeze your dependencies to aiohttp-session==2.6.0 until a fix is released.


Other references

Vulndb
NVD/NIST

Posted By @ No comments:
Labels , , , , , , ,

Monday, June 25, 2018

[CVE-2018-1000519] Session Fixation on aiohttp-session prior to 2.4.0

tl;dr If you are using a version of aiohttp-session prior to 2.4.0 update!

 On Apr 30 2018 a session fixation vulnerability was discovered in aiohttp-session which was caused by improper session (in)validation. A detailed description of the vulnerability, steps to reproduce and Proof of Concept code can be found at aiohttp-session#272.

The gist of it is that when invalidating a session, the value of the session was set to equal `{}`. However, when validating a session (i.e. loading it) a session was considered valid if its value was `!= None`.

This could allow a malicious actor to acquire a session, invalidate it, inject the cookie to a victim's browser (before the victim authenticates) and then control the victims session after the victim authenticates (by knowing the session cookie's value).

On May 4 2018 the vulnerability was patched (with aiohttp-session#273) and aiohttp-session v2.4.0 was released.

On May 12 2018 aiohttp-session's API (and documentation) was expanded to allow explicit acquisition of new session (to be used on login functions) to safeguard from user-code oriented Session Fixation vulnerabilities.

Finally on Jun 22 2018 this vulnerability was assigned CVE-2018-1000519.
Posted By @ No comments:
Labels , , , , , , ,
Subscribe to: Posts (Atom)