Play Framework Session Tampering Vulnerability

On 6 August, a security vulnerability was announced in the Play! application framework.
Due to incorrect handling of strings containing ASCII null zero character, Play’s session cookies may be modified or forged by malicious users. While the impact varies wildly from app to app, a typical attack would be to impersonate a different user of an application, e.g., an administrator.

Heroku strongly encourages you to update to a patched version of Play:

For Play 1.x applications
Update your app’s conf/dependencies.yml file to Play 1.2.6 and `git push heroku master`.
Additional details are available at https://devcenter.heroku.com/articles/play#declare-dependencies

For Play 2.x applications
Update your app’s project/plugins.sbt to Play 2.0.6 or 2.1.3 and `git push heroku master`. The relevant line should read…
addSbtPlugin(“play” % “sbt-plugin” % “2.0.6”)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s