You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While configuring Pry for the pry developers today and doing some of the most basic security tests on our server I decided to see how well it could handle authentication and it's basic, I put in the wrong password and it showed me everything in the class it init. If somebody were to create a blank class and put the passwords hash in that class, it would render the entire point of auth moot.
jordon@envygeeks:~ % pry-remote-em pryem://pry01.envygeeks.com:1337
[pry-remote-em] client connected
[pry-remote-em] remote is PryRemoteEm 0.4.2 pryem
user: envygeeks
envygeeks's password: ****
Frame number: 0/0
From: /home/pry/.bin/pry_server @ line 16 in Foo#initialize:
11:
12: require 'pry-remote-em/server'
13:
14: class Foo
15: def initialize
=> 16: binding.remote_pry_em('10.4.5.71', 1337, auth: $auth)
17: end
18: end
19:
20: EM.run do
21: Foo.new
The text was updated successfully, but these errors were encountered:
It only happens when you run it as binding.remote_pry_em ...., right?
If you start the server as some_object.remote_pry_em you won't get the dump with the password, correct?
While configuring Pry for the pry developers today and doing some of the most basic security tests on our server I decided to see how well it could handle authentication and it's basic, I put in the wrong password and it showed me everything in the class it init. If somebody were to create a blank class and put the passwords hash in that class, it would render the entire point of auth moot.
The text was updated successfully, but these errors were encountered: