[Radiant] [SOLVED] Radiant Site Hacked
John W. Long
me at johnwlong.com
Thu Jul 26 19:47:54 CDT 2007
Sylvain Gibier wrote:
> Contact me at my email address cptflam [at] gmail.com -
>
> I found the security hole.
Sylvian did indeed find a security hole in the radiantcms.org
configuration. It wasn't a security problem in Radiant per se, but it
was a problem with the way Radiant was configured on my host. However
the hole it uncovered is something that may affect ANY Radiant
application running on a shared host.
To gain access to the admin pages of radiantcms.org Sylvian used Firefox
2.0 with the Web Developer extension which allows you to see the current
cookies for a page. Here is how he got access to the Radiant admin:
1) He first logged on to the admin part of the demo site:
http://demo.radiantcms.org/admin/pages
2) Then he opened up another tab an initialized a new session hitting
this URL:
http://radiantcms.org/admin/login
3) He then changed the _session_id cookie to the value used by the demo
site using the Web Developer extension in Fox.
4) With the correct cookie set he could now bypass the login screen and
hit the following URL:
http://www.radiantcms.org/admin/pages
The reason this worked is that the CGI session stuff is configured by
default to place sessions in /tmp for all Ruby applications. Both the
demo application and the version of Radiant powering the Radiant Web
site were configured to use this default. This effectively meant that
they could share the same sessions the _session_id cookie was set up
correctly.
I fixed the problem by following the advice of this article:
http://weblog.textdrive.com/article/196/on-rails-sessions
Which recommended that you place the following line in
config/environment.rb:
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:tmpdir
=> File.join(RAILS_ROOT, '/tmp'))
We will probably be switching to ActiveRecord based sessions to avoid
this in the future. In the mean time, people running Radiant sites
should take note of the above ESPECIALLY THOSE USING A SHARED HOST!!!
--
John Long
http://wiseheartdesign.com
More information about the Radiant
mailing list