Open Source Rails projects, make sure you’re safe… 27 September 2008

An impending doom? Possibly. There was a thread on the Rails Core list not too long ago, titled “Cookie session security and open-source“, and they covered what seems to be an obvious security flaw. I distinctly remember following the events as it happened and thought to myself it makes a lot of sense, and yet I fell victim to the same thing.

PowerDNS on Rails uses the cookie store, and until b2ff9410de[...] had both the session key and session secret hard coded in the environment.rb file.

It came down on my like a ton of bricks when I was moderating a comment by JGeiger on my previous post (Using hoptoad in open source project deployments). I quickly jumped to fix the code using a solution put out by Trevor Turk which requires users to set both the session key and session secret in their database.yml files.

I know this is not an optimal solution, but works until the Core team (and us) have found a reasonable solution to the problem.

As part of stating the obvious (you gotta love hindsight), I recommend anyone who is running PowerDNS on Rails in a production environment to run it over SSL. Apart from session hijacking woes, having your zone data readable as plain text is just as bad as allowing zone transfers to any DNS client…