Mojolicious weak secret key
Description
The Mojolicious web framework uses a secret key to cryptographically sign session cookies, preventing unauthorized modification of cookie data. This application is configured with a weak, default, or commonly-used secret key that can be easily guessed or is publicly known. Invicti successfully identified the secret key, demonstrating that attackers can also discover it.
Remediation
Generate a cryptographically strong random secret key and configure your Mojolicious application to use it. The secret should be at least 32 characters long and contain random alphanumeric characters.<br/><br/>Update your application configuration:<br/><pre>use Mojolicious::Lite; # Generate a random secret (do this once, then store it securely) app->secrets(['your-randomly-generated-secret-key-here']); app->start;</pre><br/>For production environments, store the secret in an environment variable or secure configuration management system rather than hardcoding it:<br/><pre>use Mojolicious::Lite; app->secrets([$ENV{MOJOLICIOUS_SECRET}]); app->start;</pre><br/>Generate a secure random secret using:<br/><pre>perl -e 'print map{("a".."z","A".."Z",0..9)[rand 62]}1..40'</pre><br/>After changing the secret, all existing sessions will be invalidated and users will need to re-authenticate.