« Rails 2.0 cookies (updated) | Main | HTTP Authentication and Feed Security »
Sunday
Oct282007

restful_authentication login security

DateSunday, October 28, 2007 at 2:39PM

There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.

The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):

http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=

Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1

An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!

This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!

The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):

self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) 

AuthorHeiko | Comment29 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (29)

Thanks for spotting that!

October 28, 2007 | Unregistered CommenterDr Nic

For such a popular plugin, I'm surprised it's taken this long to find this... Well spotted!

October 29, 2007 | Unregistered CommenterZubin

[...] source [...]

October 29, 2007 | Unregistered CommenterDaniel Fischer - Got Fisch? &r

[...] you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]

October 29, 2007 | Unregistered CommenterSecurity update for Restful Au

thanks so much for this!

October 29, 2007 | Unregistered Commenterfox fox

The problem seems to be catched by rails routing if you use the route suggested by the plugin:

map.connect 'activate/:activation_code', :controller => 'users', :action => 'activate'

The URL /activate/ or /activate/?activation_code= will then result in a routing error.

Nevertheless, adding the check for nil is a good idea.

But maybe that's the reason why it wasn't discovered earlier.

November 11, 2007 | Unregistered CommenterHendrik

nice catch. but with edgerails, I get a "No Routes Match" exception. the route I have:

map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate'

November 12, 2007 | Unregistered CommenterJason

Thanks for spotting that!

November 17, 2007 | Unregistered Commenterbilgisayar tamiri

Mm,I'm on 1.2.5 and I don't get a routing error for the URL /activate and I have the same route. The parameters will be

Parameters: {"action"=>"activate", "controller"=>"user"}

thus "activation_code" => nil.

In any way I don't like making applications secure by saying "this will never happen"!

November 17, 2007 | Unregistered CommenterHeiko

Thank you, this post is very usefull

November 22, 2007 | Unregistered CommenterDibistore

they should have detected this earlier

May 7, 2010 | Unregistered CommenterBathrooms Sheffield

hysek watches replicasMy Fiance loved the watch. The only thing is the face was a little larger than what she usually wears since her wrist is very small. But she still loves it. She usually wears watches about 1 inch in diameter.

August 10, 2010 | Unregistered Commenterhuangedison

eFox-shop.com puts quality at the top of business plan. Our Quality Control team carries out various testing processes to ensure only quality products are sold on the web. No counterfeits or reimbursed items would appear on our selling lists.
www.efox-shop.com
chinahandy
dual sim handy
touchscreen handy
Chinesische Handys
chinesische handymarken
china handy hersteller
Lesegerät

August 17, 2010 | Unregistered Commenterchinahandys

this is a good article.I will keep it and share it whit my friends .I think thay will like it .Richard Mille named his newest uncover of RM011, Felipe Massa Titanium replica concord watches
Black DLC Grand Prix Brazil.

August 17, 2010 | Unregistered Commenterreplica daytona watches

The exact point is, its still in the same neutral ebano or brown shade, which can be kind of boring, but it surely can make this tote refined and advanced. This Bottega Veneta Tote can also be done within the usual napa leather-based material, which can be entirely woven to show its signature style. What can make thismilgauss replicas

August 18, 2010 | Unregistered Commentervannas

The young person who answered the rectory timberland boots door said that it was "the woman who said she left all the notes." When I saw her mens timberland boots I was shocked, since I immediately recognized her from church but had no timberland boots outlet idea that it was she who wrote the notes. One Sunday womens timberland boots morning, I was told that someone was waiting for me in timberland 6 boots office.

August 21, 2010 | Unregistered Commenterwomens timberland boots

Thanks for sharing nice information about Security Authentication. Its really helpful for making of accounts.
Cement Siding Richmond

August 21, 2010 | Unregistered CommenterAbdul Saeed

Restful Authentication plugin is really working against the attackers. If one have problems within there account so they have to upgrade with this plugin.6x8 Car Speakers

August 23, 2010 | Unregistered CommenterSaeed
Page 1 2 Next 20 Comments Most Recent Comment »

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.