restful_authentication login security
Sunday, October 28, 2007 at 2:39PM There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1
An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!
This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!
The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):
self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code])
Heiko |
29 Comments | 



Reader Comments (29)
Thanks for spotting that!
For such a popular plugin, I'm surprised it's taken this long to find this... Well spotted!
[...] source [...]
[...] you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]
thanks so much for this!
The problem seems to be catched by rails routing if you use the route suggested by the plugin:
map.connect 'activate/:activation_code', :controller => 'users', :action => 'activate'
The URL /activate/ or /activate/?activation_code= will then result in a routing error.
Nevertheless, adding the check for nil is a good idea.
But maybe that's the reason why it wasn't discovered earlier.
nice catch. but with edgerails, I get a "No Routes Match" exception. the route I have:
map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate'
Thanks for spotting that!
Mm,I'm on 1.2.5 and I don't get a routing error for the URL /activate and I have the same route. The parameters will be
Parameters: {"action"=>"activate", "controller"=>"user"}
thus "activation_code" => nil.
In any way I don't like making applications secure by saying "this will never happen"!
Thank you, this post is very usefull
they should have detected this earlier
hysek watches replicasMy Fiance loved the watch. The only thing is the face was a little larger than what she usually wears since her wrist is very small. But she still loves it. She usually wears watches about 1 inch in diameter.
coach outlet
coach factory outlet
coach outlet factory
coach outlet online
coach outlet store
coach bags on sale
coach bags outlet
coach factory outlet online
coach outlet store online
coach outlet online store
coach factory outlet sale
coach online outlet store
coach sunglasses
COACH HANDBAGS
COACH WALLETS
COACH ACCESSORIES
COACH BOOTS
COACH SHOES
Coach Handbags
COACH JEWELRY
COACH APPAREL
COACH MEN
Coach Shoulder Bags
Coach Sling Bags
Coach Luggage Bags
Coach Patchwork Purse
Coach Baby Bags
Coach Tote Bags
Coach Backpack Bags
Coach Carly Bags
Coach Claire Bags
Coach Garnet Bags
Coach Hampton Bags
Coach HOBO Bags
Coach Leather Handbags
Coach Sabrina Bags
Coach Spotlight Bags
Coach Travel Bags
Coach Tribeca Bags
New Coach Handbags
Coach Ergo Bags
Coach Maggie Bags
gucci outlet
gucci bags
gucci outlet online
gucci bags outlet
Gucci Handbags
Gucci Backpacks
Gucci Belt Bags
Gucci Briefcases
Gucci Computer Cases
Gucci Duffels
Gucci Hobos
Gucci Jolicoeur
Gucci Messenger Bags
Gucci Shoulder Bags
Gucci Top Handles
Gucci Totes
Gucci Travel Business
Gucci Leather Wallets
Gucci Sunglasses
Gucci Wallets
Gucci Hats
Gucci belts
Gucci bracelets
Gucci earrings
Gucci necklaces
Gucci shoes
Gucci barrette
eFox-shop.com puts quality at the top of business plan. Our Quality Control team carries out various testing processes to ensure only quality products are sold on the web. No counterfeits or reimbursed items would appear on our selling lists.
www.efox-shop.com
chinahandy
dual sim handy
touchscreen handy
Chinesische Handys
chinesische handymarken
china handy hersteller
Lesegerät
this is a good article.I will keep it and share it whit my friends .I think thay will like it .Richard Mille named his newest uncover of RM011, Felipe Massa Titanium replica concord watches
Black DLC Grand Prix Brazil.
The exact point is, its still in the same neutral ebano or brown shade, which can be kind of boring, but it surely can make this tote refined and advanced. This Bottega Veneta Tote can also be done within the usual napa leather-based material, which can be entirely woven to show its signature style. What can make thismilgauss replicas
The young person who answered the rectory timberland boots door said that it was "the woman who said she left all the notes." When I saw her mens timberland boots I was shocked, since I immediately recognized her from church but had no timberland boots outlet idea that it was she who wrote the notes. One Sunday womens timberland boots morning, I was told that someone was waiting for me in timberland 6 boots office.
I have buyed many products on line.Cool.I found some good sites,whose pruducts have gained popularity among socialites and celebrities.From these sites,several of my friends buyed products.The Website including.
weight loss
diet pills
how to lose weight fast
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
louis vuitton blog
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
christian louboutin
louboutin
christian louboutin shoes
louboutin shoes
bridal shoes
sexy shoes
high heels shoes
christian louboutin
louboutin
christian louboutin shoes
louboutin shoes
bridal shoes
sexy shoes
high heels shoes
ed hardy
ed hardy clothing
ed hardy clothing shirts
ed hardy clothes
ed hardy t shirts
ed hardy
ed hardy clothing
ed hardy clothing shirts
ed hardy clothes
ed hardy t shirts
rosetta stone
rosetta stone software
rosetta
chaojimengnan supplier
chaojimengnan
Thanks for sharing nice information about Security Authentication. Its really helpful for making of accounts.
Cement Siding Richmond
Restful Authentication plugin is really working against the attackers. If one have problems within there account so they have to upgrade with this plugin.6x8 Car Speakers