Hardcoded Flask Secrets Key - "Privilege Escalation" #292
Assignees
Labels
bug_Normal
Normal bug, Server connects to clients but won't sync data
Comments
brothercorvo
added
the
bug_Normal
naman108
added a commit
that referenced
this issue
Feb 17, 2022
|
fixed in 1.9.8.5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the sourcecode there are 3 relevant places that the Flask Secrets Key are hardcoded. Flask signs all their client sessions with this secret key, usually defined in an Environment Variable. In this case though there's these three places that these are hardcoded into.
This gives a malicious user the ability to sign their own cookies (using for example: Flask-Unsign), and internally change the UID of the current user and assume any other user, for example UID 1 which is the Admin. (Privilege Escalation)
Another interessting issue that you run into aswell is that having two Flask servers with the same secret key makes it possible for a user to reuse a UID 1 cookie from Server A, and apply that cookie to Server B logging in to the same UID 1. (Lateral movement/Authentication bypass).
The text was updated successfully, but these errors were encountered: