There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:SELECT * […]
Tags: Rails · Uncategorized
In the context of looking for a secure way to send out feeds (RSS, Atom, …), I found several options:
Use basic access authentication to prompt a user name and password before granting access. This is supported by quite a lot feed readers and browsers (where you have to enter your credentials).
Advantage: Easy to use, Rails […]
Tags: Uncategorized
There is another security release which addresses once again the to_json vulnerability. It now has a CVE. If you used to_json in a page you generate:
<script type="text/javascript"> var customers = <%= @customers.to_json %>; </script>
you should upgrade to 1.2.5. Besides it fixes some bugs from 1.2.4.
Bookmark to
Tags: Uncategorized · XSS and Rails
The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be […]
Tags: Rails · XSS and Rails
The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
