Well-Known Ruby on Rails Secret Token Used on Remote Application

medium Nessus Plugin ID 64298

Synopsis

The Ruby on Rails application on the remote host reuses secret tokens.

Description

The Ruby on Rails application on the remote host uses a well-known secret token to sign and encrypt cookies / data.

Solution

If you control the configuration to this application, generate a proper secret token and make sure it isn't publicly shared. The secret file is located at :

web_application_root/config/initalizers/secret_token.rb

Ensure this value is truly unique. If you do not control it, there may be a vendor provided upgrade that makes it unique per installation.

See Also

http://www.nessus.org/u?e33a3010

http://www.nessus.org/u?8bf34c28

http://www.nessus.org/u?52be4ff8

Plugin Details

Severity: Medium

ID: 64298

File Name: ruby_on_rails_known_secret.nbin

Version: 1.112

Type: remote

Family: General

Published: 1/30/2013

Updated: 7/17/2024

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:rubyonrails:ruby_on_rails

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/21/2012