28 μΙηΌ³΅@]ΪΦ~ (ε) 2023/09/08 01:00:13
>>27
CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
Back in October 2021, when we first started researching Superset, we noticed that the SECRET_KEY is defaulted to the value \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h at install time. Itfs the end userfs responsibility to modify the application configuration to set the SECRET_KEY to a cryptographically secure random string.
This is documented in the Superset configuration guide. But we were curious what percentage of users actually read the documentation.
So, using Shodan, we did a basic search for Superset servers on the Internet.
Simply requesting the Superset login page (without attempting to login) returns a session cookie that we then passed through flask-unsign to determine if it was signed with the default SECRET_KEY.
To our surprise, we found that 918/1288 (> 70%) of all servers were using the default SECRET_KEY!