[Openstack-security] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

Kurt Seifried kseifried at redhat.com
Fri Oct 4 04:04:14 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2013 10:00 PM, Jeffrey Walton wrote:
> On Thu, Oct 3, 2013 at 11:48 PM, Kurt Seifried
> <kseifried at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 10/03/2013 09:39 PM, Paul McMillan wrote:
>>> Hi Kurt,
>>> 
>>> The upstream Django team would be extremely happy if you
>>> refrained from assigning a CVE for a clearly documented
>>> security tradeoff, which is mentioned covered in both the
>>> Django and the Horizon docs, as well as in the Openstack
>>> Security Guide.
>>> 
>>> The upshot of this entire business is that if you rely soly on 
>>> client-side cookies, logging out deletes the cookie from a
>>> local browser, but does not actually invalidate it until the
>>> session expiry timeout. If you don't like this particular
>>> technical limitation using client side sessions, you are
>>> advised not to use that cookie backend.
>>> 
>>> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>>>
>>>
>>>
>>
>>> 
This does NOT deserve a CVE.
>>> 
>>> Regards, -Paul
>> 
>> Yeah this is usually why i research things a bit before assigning
>> a CVE.
>> 
>> So based on
>> 
>> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>>
>>
>> 
No freshness guarantee
>> 
>> Note also that while the MAC can guarantee the authenticity of
>> the data (that it was generated by your site, and not someone
>> else), and the integrity of the data (that it is all there and
>> correct), it cannot guarantee freshness i.e. that you are being
>> sent back the last thing you sent to the client. This means that
>> for some uses of session data, the cookie backend might open you
>> up to replay attacks. Unlike other session backends which keep a
>> server-side record of each session and invalidate it when a user
>> logs out, cookie-based sessions are not invalidated when a user
>> logs out. Thus if an attacker steals a user’s cookie, he can use
>> that cookie to login as that user even if the user logs out.
>> Cookies will only be detected as ‘stale’ if they are older than
>> your SESSION_COOKIE_AGE.
>> 
>> I would say this falls into the Python Pickle() group (large red 
>> banner), a potentially dangerous feature with a large warning.
>> Ergo no CVE.
>> 
>> My one comment would be to possibly make the reply warning more 
>> prominent and also mention protecting the cookie with HTTPS
>> (wireless networks in coffee shops/etc.).
> What precisely is OpenStack going to do to ensure Django is always
> in an approved configuration (or ships in a secure configuration)?
> 
> Are there any UI warnings when moving from a secure configuration
> to a potentially insecure configuration?
> 
> Are the QA folks or Release team aware they need to inspect a
> setting and check a box?
> 
> (Forgive my ignorance - I'm still learning policy and procedures).
> 
> Jeff

I assume this would primarily be up to the people packaging and
shipping OpenStack. Having a feature to ensure it is safely configured
and if not to raise a warning in the GUI/etc. would be rgeat, feel
free to file an RFE upstream.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSTj4+AAoJEBYNRVNeJnmT7akP/1X7unKotn09nEANUkCbuFRG
JV/UyEPdrib+ZZAapxLCCAbXPZSrqsjgO6V9E8ZzF7dKYrb3EHlxScGuNW2N+Ys7
pwYtBQG9TNxoTNwyREJBGUjOfByXFB6L5TCNINBXCEDBU+ulIqWWxmqf0f5LG0KD
iCyEt98nn5Up9KS6h7XT/mGOOBrui7jTkQ0lZamrOEQxCEGBxHs9ZXLsGDvncfYK
PGmpmlf6ymRkNaSEt1BMnygsvxuvTCzgH8hqs7QhTM+3xGH1Mw7Cg4An09EmRi0x
72Eflgqh9dkCoc1BDQm48C8LRMSGkWaV/Fczo3ISARCTffarDha9eUG2yWbdzFkQ
I2vN/OOPvyL36TZ1BzEtp8GZBva99Fx92G5/mi/YAUNXDJ4dYub78V9pS2ZznYrz
BzLc87+lvyvZLSY7N7mJQnCnlYJ8Z+uPuQjI1doBUmz18bcS1WW8dOWf7tpCiiO8
j+Rgkr8i2CzthYtPFDLs/KSRkujXEl1nAX2QpmJKgymEGIMZkWQIPuKEej9IsCQJ
v2NFwUFEw019Dqj+wHCDSPjEXUJES4/V9MHxyP9wnXNXKz881aaERLZViO/o77hM
Nt2WWGqavinjVAKn7I9kFXMIHfBl5XET9NEwl2MmlszSXqIMD9QPikQllskNiu/x
+EmopAM4w2nGRZ5EjW6n
=Dvgm
-----END PGP SIGNATURE-----




More information about the Openstack-security mailing list