SUSE CVE-2013-3709

WebYaST 1.3 uses weak permissions for config/initializers/secrettoken.rb, which allows local users to gain privileges by reading the Rails secret token from this file...

Red Hat CloudForms 2 Management Engine Tampering Vulnerability

Red Hat CloudForms 2 Management Engine CFME is a management engine for IaaS Infrastructure as a Service cloud service solutions from Red Hat, Inc. A security vulnerability exists in Red Hat CFME. A remote attacker could exploit the vulnerability to tamper with a session by using a static...

Algolia: RCE on facebooksearch.algolia.com

While doing recon on Algolia, I found that the session secret for facebooksearch.algolia.com has been committed to a public GitHub repository. Since the Rails app running at facebooksearch.algolia.com is using CookieStore as the session storage, this means an attacker knowing the session secret c...

Design/Logic Flaw

WebYaST 1.3 uses weak permissions for config/initializers/secrettoken.rb, which allows local users to gain privileges by reading the Rails secret token from this file...

Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness

Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for findbyid. With a specially crafted parameter in an environment that knows the secrettoken value in secrettoken.rb, a remote attacker to more easily conduct SQL injection...