Ruby on Rails Security Project

Exploring the Security of Rails and friends.

Ruby on Rails Security Project header image 2
HTTP Authentication and Feed Security Rails 2.0 cookies (updated)

restful_authentication login security

October 28th, 2007 · 9 Comments

There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.

The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):

http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=

Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1

An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!

This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!

The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):

self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) 

Tags: Rails · Uncategorized

9 responses so far ↓

  • 1 Dr Nic // Oct 28, 2007 at 14:47

    Thanks for spotting that!

  • 2 Zubin // Oct 28, 2007 at 19:27

    For such a popular plugin, I’m surprised it’s taken this long to find this… Well spotted!

  • 3 Daniel Fischer - Got Fisch? » Serious Restful_authentication Security Problem // Oct 28, 2007 at 22:46

    […] source […]

  • 4 Security update for Restful Authentication // Oct 29, 2007 at 6:39

    […] you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]

  • 5 fox fox // Oct 29, 2007 at 9:18

    thanks so much for this!

  • 6 Hendrik // Nov 11, 2007 at 13:43

    The problem seems to be catched by rails routing if you use the route suggested by the plugin:

    map.connect ‘activate/:activation_code’, :controller => ‘users’, :action => ‘activate’

    The URL /activate/ or /activate/?activation_code= will then result in a routing error.

    Nevertheless, adding the check for nil is a good idea.

    But maybe that’s the reason why it wasn’t discovered earlier.

  • 7 Jason // Nov 12, 2007 at 13:46

    nice catch. but with edgerails, I get a “No Routes Match” exception. the route I have:

    map.activate ‘/activate/:activation_code’, :controller => ‘users’, :action => ‘activate’

  • 8 Heiko // Nov 17, 2007 at 3:52

    Mm,I’m on 1.2.5 and I don’t get a routing error for the URL /activate and I have the same route. The parameters will be

    Parameters: {”action”=>”activate”, “controller”=>”user”}

    thus “activation_code” => nil.

    In any way I don’t like making applications secure by saying “this will never happen”!

  • 9 Dibistore // Nov 22, 2007 at 4:25

    Thank you, this post is very usefull

Leave a Comment