« Rails 2.0 cookies (updated) | Main | HTTP Authentication and Feed Security »
Sunday
Oct282007

restful_authentication login security

There is a serious security leak in the restful_authentication plugin regarding the activation of an account. You can use it to log in w/o user credentials or impersonate someone else.

The "activate" method of the controller accepts an empty activation code parameter like this (depending on your routes):

http://localhost:3006/user/activate or http://localhost:3006/activate/?activation_code=

Which will create this SQL:
SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1

An attacker will be able to log in w/o password and use the first account found with an empty activation_code (activated users)!

This works for everyone in and outside the app, because you'd normally have a skip_before_filter :login_required, :only => [:activate] in the controller. Even if you don't (rarely), registered users can impersonate someone else!

The author has been informed, and thankfully reacted with a new version of the plugin, replace the first line of the method with this (depending on your model names):

self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) 

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (10)

Thanks for spotting that!

October 28, 2007 | Unregistered CommenterDr Nic

For such a popular plugin, I'm surprised it's taken this long to find this... Well spotted!

October 29, 2007 | Unregistered CommenterZubin

[...] source [...]

[...] you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]

thanks so much for this!

October 29, 2007 | Unregistered Commenterfox fox

The problem seems to be catched by rails routing if you use the route suggested by the plugin:

map.connect 'activate/:activation_code', :controller => 'users', :action => 'activate'

The URL /activate/ or /activate/?activation_code= will then result in a routing error.

Nevertheless, adding the check for nil is a good idea.

But maybe that's the reason why it wasn't discovered earlier.

November 11, 2007 | Unregistered CommenterHendrik

nice catch. but with edgerails, I get a "No Routes Match" exception. the route I have:

map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate'

November 12, 2007 | Unregistered CommenterJason

Thanks for spotting that!

November 17, 2007 | Unregistered Commenterbilgisayar tamiri

Mm,I'm on 1.2.5 and I don't get a routing error for the URL /activate and I have the same route. The parameters will be

Parameters: {"action"=>"activate", "controller"=>"user"}

thus "activation_code" => nil.

In any way I don't like making applications secure by saying "this will never happen"!

November 17, 2007 | Unregistered CommenterHeiko

Thank you, this post is very usefull

November 22, 2007 | Unregistered CommenterDibistore

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>