« Rails 2.0 cookies (updated) | Main | HTTP Authentication and Feed Security »
Sunday
Oct282007

restful_authentication login security

There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.

The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):

http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=

Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1

An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!

This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!

The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):

self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) 

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (160)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: wow guide
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: chris
  • Response
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Virility XL
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Weight Loss Drink
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: yoga howell mi
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: audit telecom
  • Response
    Response: audit telecom
  • Response
    Response: Buy Revitalize
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
  • Response
  • Response
  • Response
  • Response
  • Response
    Response: flood damage
  • Response
  • Response
  • Response
    Response: water damage
  • Response
  • Response
    Response: mold remediation
  • Response
    Response: mold testing
  • Response
    Response: mold testing
  • Response
    Response: mold testing
  • Response
    Response: mold inspection
  • Response
  • Response
  • Response
  • Response
  • Response
  • Response
  • Response
    Response: flood damage
  • Response
  • Response
    This is a great Blog
  • Response
  • Response
    Response: mold removal
  • Response
    UGG Boots made very nicely known for becoming the makers of high high quality footwear
  • Response
    Response: flood damage
  • Response
  • Response
    After you've those things you need, you can actually simply just accomplish numerous steps in some places whilst your necessities are generally prescribed.
  • Response
    Response: Water Damage
    Donnie is the best at binary options
  • Response
  • Response
  • Response
  • Response
    Response: v2 coupon 20
  • Response
    Response: smells like mold
  • Response
    Response: air shox nike
    Limited-edition bags will value far more rapidly, but you would be sensible to stick to your traditional type and color having a history of thriving resale. Durability is also crucial; alligator, crocodile and calfskin maintain up well more than time, specially if they may be stored inside a awesome, dim location. ...
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: qereti nudo
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: dig this
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: The Venus Factor
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: quibids.com
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: page
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: gta 5 hack
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: lead generation
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: sempergestion
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: iphone 6
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: www.prweb.Com
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: 42nd Street Photo
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Bradley Kurgis
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: 42nd Street Photo
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: tipping games
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: facebook scams
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: day Trading
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Chanel
    It means fo Jimmy Choo Shoes r hiking, Cheap Oakley Sunglasses walking, beach evening wear or Christian Louboutin Outlet any other purpose? Don't Jimmy C Chanel V?ska hoo Shoes forget that their sandals are unfit to the rocky beach. If your bills are paid and your children have what they need ...
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: computer glasses
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: 301 nuke review
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: sexercise classes
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: sexercise routine
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: sexercise Routine
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: sexercise
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: eduardo vela ruiz
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: play mofunzone
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: come dimagrire
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: wheelsspinround
    Illustrated by two naked bodi gastrohotel es of different gender doing n 4gaycocks aughty things, the posters do indeed depict enviable people. He, built like a Greek god, looks not unlike me, while gastro todsoutlet hotel she is a cross between Claudia Schiffer and Christy Turlington.
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: online auctions,
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: madbid.com
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: dealdash
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: flood damage
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
  • Response
    Response: ways to make money
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    With so many choices on the bazaar, how act you indicate the authentic aut buy prada bags online australia hentic designer handbags of loyalty with the purpose of fits your needs? N cheap Prada Saffiano Australia ot barely act you bear to indicate a handbag designer who is a stunning and ...
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: http://test.com
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: patrick attorney
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Peter Rupp
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Jack Mullins
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Sophie Dennis
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: Dr. Rashmi Patel
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: click this site
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: USHUD
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: film reviews
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Response: hair loss
  • Response
    Response: My Source
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    [...]Ruby on Rails Security Project - Journal - restful_authentication login security[...]
  • Response
    Response: happy diwali
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security
  • Response
    Ruby on Rails Security Project - Journal - restful_authentication login security

Reader Comments (10)

Thanks for spotting that!

October 28, 2007 | Unregistered CommenterDr Nic

For such a popular plugin, I'm surprised it's taken this long to find this... Well spotted!

October 29, 2007 | Unregistered CommenterZubin

[...] source [...]

[...] you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]

thanks so much for this!

October 29, 2007 | Unregistered Commenterfox fox

The problem seems to be catched by rails routing if you use the route suggested by the plugin:

map.connect 'activate/:activation_code', :controller => 'users', :action => 'activate'

The URL /activate/ or /activate/?activation_code= will then result in a routing error.

Nevertheless, adding the check for nil is a good idea.

But maybe that's the reason why it wasn't discovered earlier.

November 11, 2007 | Unregistered CommenterHendrik

nice catch. but with edgerails, I get a "No Routes Match" exception. the route I have:

map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate'

November 12, 2007 | Unregistered CommenterJason

Thanks for spotting that!

November 17, 2007 | Unregistered Commenterbilgisayar tamiri

Mm,I'm on 1.2.5 and I don't get a routing error for the URL /activate and I have the same route. The parameters will be

Parameters: {"action"=>"activate", "controller"=>"user"}

thus "activation_code" => nil.

In any way I don't like making applications secure by saying "this will never happen"!

November 17, 2007 | Unregistered CommenterHeiko

Thank you, this post is very usefull

November 22, 2007 | Unregistered CommenterDibistore

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>