Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication
|
|
SecurityTracker Alert ID: 1022517 |
|
SecurityTracker URL: http://securitytracker.com/id/1022517
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 7 2009
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 2.3.3
|
Description:
A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication.
A remote user can supply a specially crafted (invalid) username with no password to successfully authenticate and access a protected page.
|
Impact:
A remote user can bypass authentication.
|
Solution:
The vendor has issued a source code fix, available at:
http://github.com/rails/rails/commit/1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0
The fix will be included in the upcoming 2.3.3 version.
The vendor's advisory is available at:
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
|
Vendor URL: weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 7 Jul 2009 00:58:50 -0400
Subject: Ruby on Rails
|
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
|
|
