what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

web.go Insecure Cookie

web.go Insecure Cookie
Posted Feb 25, 2011
Authored by Nam Nguyen | Site bluemoon.com.vn

web.go suffers from an insecure cookie vulnerability. Their cookie is modeled after Tornado which had the same issue reported on in 2010.

tags | advisory, web, insecure cookie handling
SHA-256 | ee2dc2d011a705d23606558d2a5af6c6a4bbf9a22dfdf2f4a9697f1c61fde09f

web.go Insecure Cookie

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2011-01
===================================


:Title: Insecure secure cookie in web.go
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: web.go
:Fixed in: --


Description
-----------

web.go is the simplest way to write web applications in the Go programming language. It's ideal for writing simple, performant backend web services.

web.go's secure cookie is modeled after Tornado. It suffers the same vulnerability that was documented in `BMSA 2010-01 <http://www.bluemoon.com.vn/advisories/bmsa201001.html>`_.

This vulnerability is rated at low severity due to situational exploiting conditions.

Workaround
----------

There is no workaround.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

November 19, 2010: Notice sent to Michael Hoisie.

:Vendor response:

November 20, 2010: Michael replied confirming the bug and promising to update it.

:Further communication:

January 12, 2011: Quick ping sent to Michael to ask for an estimated time of a fix and coordinate an announcement on January 17.

:Public disclosure: February 25, 2011

:Exploit code:

No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close