-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure Randomness #265
Comments
@greenpau let me know if you accept contributions for this issue. I was reading the |
@st3fan , please do! 😄 thank you for the offer! |
Thos looks like a simple fix. Is anyone working on it ? |
@gedw99 , feel free to contribute! |
@ahpaleus , please see if the fix addresses your concerns. |
No activity. Closing. |
Severity: High
The caddy-security plugin uses the math/rand Golang library with a seed based on the Unix timestamp to generate strings for three security-critical contexts in the application, which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.
To immediately mitigate this vulnerability, use a cryptographically secure random number generator for generating the random strings. Golang’s library crypto/rand is designed for secure random number generation.
In addition to that fix, we recommend considering the following long-term recommendations:
More information about our public disclosure:
The text was updated successfully, but these errors were encountered: