Vote #65230: Weak autologin token generation algorithm causes duplicate tokens - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #65230

完了

Weak autologin token generation algorithm causes duplicate tokens

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:

Closed

優先度:

急いで

担当者:

カテゴリ:

Accounts / authentication_7

対象バージョン:

0.8.4_10

開始日:

2009/05/13

期日:

進捗率:

予定工数:

Redmineorg_URL:

https://www.redmine.org/issues/3351

category_id:

version_id:

issue_org_id:

3351

author_id:

3936

assigned_to_id:

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[Closed]

引用

説明

After switching to mod_passenger we got 7 (seven!) duplicated autologin tokens within 2 weeks. It caused some changes have been made under wrong user account!

Looks like due to using of pseudo-random sequence generator two concurrent Ruby processes may use the same random seed (and as result the same random sequence).

At our instance we made quick fix - prepend random sequence with "#{user.id}_" and substring left 40 chars, however, I guess there may be better solution.

journals

Also, I suggest to deny login if search by autologin within Token table returned 2 or more records - it allows to prevent and troubleshot possible errors in future.
--------------------------------------------------------------------------------
I never experienced this issue but I've just committed the following fixes in r2740, r2741, r2742:
* ActiveSupport::SecureRandom is now used to generate tokens
* Added a validation on token uniqueness that will prevent 2 tokens with the same value from being saved
* Autologin is denied if more than one token is found
--------------------------------------------------------------------------------
>I never experienced

We suspect it is due to process forking which leads to random sequence seed *inherited* from parent process so two processes continue working with the same sequence.

> ActiveSupport::SecureRandom is now used to generate tokens

Thanks, it is what we were going to suggest!
--------------------------------------------------------------------------------
Small example from our developers

--------------------------------------------------------------------------------
Also, you could check your DB to ensure you have really never affected by this vulnerability

<pre>
select value, count(*) from tokens group by value having count(*) > 1
</pre>
--------------------------------------------------------------------------------
That's what I did when I said that I never experienced this issue.
--------------------------------------------------------------------------------
Jean-Philippe Lang wrote:
> That's what I did when I said that I never experienced this issue.

Probably you are not using mod_passenger. If you started several predefined processes (without mod_passenger) then random sequence had their own seeds and their own random sequences.

mod_passenger do forks and these inherit parent seed (see post #4) - it is key factor to reproduce problem.
--------------------------------------------------------------------------------
Indeed, I'm using apache+mod_fcgid.
Fixes are backported in 0.8-stable branch in r2747.
--------------------------------------------------------------------------------