Mojolicious HMAC Session Secret Vulnerability Allowing Session Hijacking

A vulnerability exists in Mojolicious versions 0.999922 prior to 9.40 for Perl, where a hard-coded string or the application's class name is used as the default HMAC session secret. These predictable secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret can compute valid HMAC signatures for the session cookie, enabling them to tamper with or hijack another user's session.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate another user by stealing their session.

Reproduction

To reproduce this vulnerability, create a Mojolicious application without setting a custom secret. The application will use the default secret, which is predictable. Once the application is running, the session cookie can be intercepted and manipulated by forging HMAC signatures, effectively hijacking the user's session.

Remediation

Users can set a strong, random HMAC secret in their Mojolicious application to mitigate this vulnerability. This can be done by updating the application's configuration to include a secure secret passphrase.