[Secure-testing-team] Bug#728871: fookebox: bogus secret value in config
Jonas Smedegaard
dr at jones.dk
Wed Nov 6 12:02:19 UTC 2013
Package: fookebox
Version: 0.6.1-2
Severity: grave
Tags: security
Justification: user security hole
Default config installed as /etc/fookebox/config.ini contains this line:
beaker.session.secret = somesecret
According to [Pylons documentation] that secret "should be a secret,
ideally randomly generated value on production environments."
- Jonas
[Pylons documentation]: http://docs.pylonsproject.org/projects/pylons-webframework/en/latest/sessions.html
More information about the Secure-testing-team
mailing list