You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
local RANGE = 999999999
[...]
randseed (mod (time(), RANGE))
[...]
local function new_id ()
return rand (RANGE)
end
I think it it probably safe to assume rand() doesn't meet the requirements for a session id. As in it generates numbers that are predictable.
I am not really familiar with how to generate an appropriate id, but I do notice there are some crypto libraries for LUA, e.g. https://github.com/philanc/plc
On the Debian mailing list, it was suggested "a more secure function is to simply read the value from /dev/urandom".
The text was updated successfully, but these errors were encountered:
I believe the following code on something similar - would fix this issue:
local function new_id()
local path = "/dev/urandom"
local file = io.open(path, "rb")
if not file then return nil end
local content = file:read(16)
content = basexx.to_hex(content)
file:close()
return content
end
Note this requires basexx. It also might breaks the check_id() function which expects the session id be an integer.
I don't actually see any bug reports open on this CVE, so I am creating a bug report here.
https://security-tracker.debian.org/tracker/CVE-2014-2875
As far as I can tell, the issue is still present in the latest git source.
I believe the vulnerable code itself is in
https://github.com/keplerproject/cgilua/blob/master/src/cgilua/session.lua
and is these bits:
I think it it probably safe to assume rand() doesn't meet the requirements for a session id. As in it generates numbers that are predictable.
I am not really familiar with how to generate an appropriate id, but I do notice there are some crypto libraries for LUA, e.g. https://github.com/philanc/plc
On the Debian mailing list, it was suggested "a more secure function is to simply read the value from /dev/urandom".
The text was updated successfully, but these errors were encountered: