There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1
An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!
This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!
The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):
self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code])






9 responses so far ↓
1 Dr Nic // Oct 28, 2007 at 14:47
Thanks for spotting that!
2 Zubin // Oct 28, 2007 at 19:27
For such a popular plugin, I’m surprised it’s taken this long to find this… Well spotted!
3 Daniel Fischer - Got Fisch? » Serious Restful_authentication Security Problem // Oct 28, 2007 at 22:46
[…] source […]
4 Security update for Restful Authentication // Oct 29, 2007 at 6:39
[…] you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]
5 fox fox // Oct 29, 2007 at 9:18
thanks so much for this!
6 Hendrik // Nov 11, 2007 at 13:43
The problem seems to be catched by rails routing if you use the route suggested by the plugin:
map.connect ‘activate/:activation_code’, :controller => ‘users’, :action => ‘activate’
The URL /activate/ or /activate/?activation_code= will then result in a routing error.
Nevertheless, adding the check for nil is a good idea.
But maybe that’s the reason why it wasn’t discovered earlier.
7 Jason // Nov 12, 2007 at 13:46
nice catch. but with edgerails, I get a “No Routes Match” exception. the route I have:
map.activate ‘/activate/:activation_code’, :controller => ‘users’, :action => ‘activate’
8 Heiko // Nov 17, 2007 at 3:52
Mm,I’m on 1.2.5 and I don’t get a routing error for the URL /activate and I have the same route. The parameters will be
Parameters: {”action”=>”activate”, “controller”=>”user”}
thus “activation_code” => nil.
In any way I don’t like making applications secure by saying “this will never happen”!
9 Dibistore // Nov 22, 2007 at 4:25
Thank you, this post is very usefull
Leave a Comment