Cookie-based sessions does not include a remote code execution-warning
|Reported by:||Erik Romijn||Owned by:||nobody|
|Cc:||eromijn@…||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
As cookie-based sessions use pickle, an attacker which is able to generate an arbitrary valid session cookie, is able to remotely execute arbitrary code. This, this means having the secret key of any website that has cookie-based sessions enabled means anyone can execute arbitrary code.
This is not a new fact, but I think it deserves a bold warning with the cookie-based sessions documentation, as it is such a more extreme case than other possible risks of leaking the secret key.