Detections
Analytics

Well-Known Ruby on Rails Secret Token Used on Remote Application

medium Nessus Plugin ID 64298

Language:

Synopsis

The Ruby on Rails application on the remote host reuses secret tokens.

Description

The Ruby on Rails application on the remote host uses a well-known secret token to sign and encrypt cookies / data.

Solution

If you control the configuration to this application, generate a proper secret token and make sure it isn't publicly shared. The secret file is located at :

web_application_root/config/initalizers/secret_token.rb

Ensure this value is truly unique. If you do not control it, there may be a vendor provided upgrade that makes it unique per installation.

See Also

http://www.nessus.org/u?e33a3010

http://www.nessus.org/u?8bf34c28

http://www.nessus.org/u?52be4ff8

Plugin Details

Severity: Medium

ID: 64298

File Name: ruby_on_rails_known_secret.nbin

Version: 1.110

Type: remote

Family: General

Published: 1/30/2013

Updated: 3/19/2024

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:rubyonrails:ruby_on_rails

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/21/2012