Rails 2.0 will include a new default session storage, the CookieStore (source source). What it does is store the clear text "marshalled" session object in a cookie which will be stored on the client side. Here is an example of a new cookie value:
BAh7BzoMdXNlcl9pZGkKIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–be9c1e802c6cf126c722c68002ccbd5684a96dd9
Well, it is actually not clear text, but Base64 encoding. […]
Tags: Rails · Uncategorized
There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.
The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):
http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=
Which will create this SQL:SELECT * […]
Tags: Rails · Uncategorized
The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be […]
Tags: Rails · XSS and Rails
The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
