Improper Privilege Management in devise_masquerade

The devisemasquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise without this extension is used. If the...

Metasploit Web UI Static secret_key_base Value

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule NullSerializer @serializer = options:serializer || Marshal end def encryptandsignvalue...

Metasploit Weekly Release Static secret_key_base pre-auth 远程代码执行漏洞

Author: Justin Steven OVE ID: OVE-20160904-0002 Private disclosure date: 2016-09-04 Public disclosure date: 2016-09-19 Vendor advisory: https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401 Affected versions: Metasploit...

Ruby on Rails - Known Secret Session Cookie Remote Code Execution (Metasploit)

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank =...