Top
Welcome

The Ruby on Rails Security Project wants to make Rails (applications) more secure. Heiko Webers of bauland42 writes blog posts about Rails and security related topics and carries out security audits for your web applications. We have a free book for you, too. Contact Heiko at 42 -the AT sign- bauland42.de.

Search

Feeds / Syndication
Most Popular
« Rails 2.0 cookies (updated) | Main | HTTP Authentication and Feed Security »
Sunday
28Oct

restful_authentication login security

DateSunday, October 28, 2007 at 2:39PM

There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.

The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):

http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=

Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1

An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!

This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!

The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):

self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) 

AuthorHeiko | Comment10 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (10)

Thanks for spotting that!

October 28, 2007 | Unregistered CommenterDr Nic

For such a popular plugin, I'm surprised it's taken this long to find this... Well spotted!

October 29, 2007 | Unregistered CommenterZubin

[...] source [...]

October 29, 2007 | Unregistered CommenterDaniel Fischer - Got Fisch? &r

[...] you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]

October 29, 2007 | Unregistered CommenterSecurity update for Restful Au

thanks so much for this!

October 29, 2007 | Unregistered Commenterfox fox

The problem seems to be catched by rails routing if you use the route suggested by the plugin:

map.connect 'activate/:activation_code', :controller => 'users', :action => 'activate'

The URL /activate/ or /activate/?activation_code= will then result in a routing error.

Nevertheless, adding the check for nil is a good idea.

But maybe that's the reason why it wasn't discovered earlier.

November 11, 2007 | Unregistered CommenterHendrik

nice catch. but with edgerails, I get a "No Routes Match" exception. the route I have:

map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate'

November 12, 2007 | Unregistered CommenterJason

Thanks for spotting that!

November 17, 2007 | Unregistered Commenterbilgisayar tamiri

Mm,I'm on 1.2.5 and I don't get a routing error for the URL /activate and I have the same route. The parameters will be

Parameters: {"action"=>"activate", "controller"=>"user"}

thus "activation_code" => nil.

In any way I don't like making applications secure by saying "this will never happen"!

November 17, 2007 | Unregistered CommenterHeiko

Thank you, this post is very usefull

November 22, 2007 | Unregistered CommenterDibistore

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>