A PSA since there's some confusion on this...
There is no vulnerability in Gorilla Sessions.
The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.
Filippo Valsorda :go: /
npub1wh…akn2m
2024-04-17 22:59:25
Author Public Key
npub1whzyg92c6fsvpjjcnn504z0a2pfwenctp872sgmedqg2np4drj8qwakn2mPublished at
2024-04-17 22:59:25Event JSON
{
"id": "8991c5ef35e9b06b1a770cfb210a00e37393498d6f9e82694da5db315f116e6c",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1713394765,
"kind": 1,
"tags": [
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/112289039356637058",
"activitypub"
]
],
"content": "A PSA since there's some confusion on this...\n\nThere is no vulnerability in Gorilla Sessions.\n\nThe vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.",
"sig": "eeb5050825004e4764b1aecc84d473a64e79a2b72adbb8f6e294890367fb5ff904a75bb04088870602f2ac19d5d6d84ae08695355aae37fb7cc36ee3907192a8"
}