Mojolicious Weak HMAC Session Secret Vulnerability

A vulnerability exists in Mojolicious versions 7.28 through 9.40 for Perl, where the framework generates weak HMAC session secrets. The issue arises because the default application generator uses the insecure rand() function to create a secret that is then saved in the application's configuration file. This weak secret is used to authenticate and ensure the integrity of session data, potentially allowing attackers to brute-force session keys.

Impact

Exploitation of this vulnerability could lead to the brute-forcing of session keys, allowing for unauthorized access to user sessions.

Reproduction

To reproduce this vulnerability, create a new Mojolicious application using the 'mojo generate app' command. This will generate a default application with a weak HMAC session secret. The secret can be found in the application's configuration file, where it is written using the rand() function, which is not cryptographically secure.

Remediation

Users can manually set a strong session secret in their application's configuration file. It is recommended to use a secret generated from a cryptographically secure random number generator, such as those provided by the Crypt::Random or Crypt::URandom modules.