Filippo Valsorda :go: on Nostr: A PSA since there's some confusion on this... There is no vulnerability in Gorilla ...
A PSA since there's some confusion on this...
There is no vulnerability in Gorilla Sessions.
The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.
Published at
2024-04-17 22:59:25Event JSON
{
"id": "8991c5ef35e9b06b1a770cfb210a00e37393498d6f9e82694da5db315f116e6c",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1713394765,
"kind": 1,
"tags": [
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/112289039356637058",
"activitypub"
]
],
"content": "A PSA since there's some confusion on this...\n\nThere is no vulnerability in Gorilla Sessions.\n\nThe vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.",
"sig": "eeb5050825004e4764b1aecc84d473a64e79a2b72adbb8f6e294890367fb5ff904a75bb04088870602f2ac19d5d6d84ae08695355aae37fb7cc36ee3907192a8"
}