Wednesday
21Mar
LoginGenerator and LoginSugar security vulnerabilities
Wednesday, March 21, 2007 at 1:25AM There are several login generators, user authentication plugins and access control frameworks for Rails, but most of them are declared beta. Here are the two major ones on RubyForge:
Quote: This is the popular generator for the rails framework which will outfit your application with a complete user management. It offers login, signup pages as well as great security and technology to protect certain areas of the application.
A fork of Salted Hash Login Generator which quit working around rails 1.1.3. It is a user system providing signup, login, email validation and forgotten password facilities. Sugar works with rails 1.2.3
- Restful_authentication, here is a screencast
Recommended: This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2 (or edge).
LoginSugar is based on LoginGenerator, so are several other generators. Restful_authentication is the recommended plugin as it doesn't have the vulnerabilities of the other generators. But you have to update to the newest version. Today I found several security holes in the other two:
1. When signing up for a new account, both of them can fall prey to mass assignment attacks (see previous post) which lets you bypass confirmation emails, get administrator privileges, basically set any value in the model. The controller contains the following line:
@user = User.new(@params['user'])
An attacker could save the signup page and add the following to the signup form:
<input id="user[verified]" name="user[verified]" type="hidden" value="1" />
<input id="user[role]" name="user[role]" type="hidden" value="admin" />
2. LoginSugar: If an attacker gets hold of a confirmation URL within the expiry time (usually 24 hours) he can use it to log into the application without knowing username or password. A countermeasure would be to let the link expire when it is being verified.
3. LoginSugar: If an attacker got access to the application, he can use the change_password method to set a new password without knowing the original one. This completely takes over the account. A countermeasure would be to ask for the original password when changing it.
View Printer Friendly Version
Email Article to Friend
Reader Comments (65)
Hey, good work. Would you be able to also audit Rick Olson's RestfulAuthentication generator? That's the most popular framework for new apps these days.
Hi, I haven't tested RestfulAuthentication but by looking at the source code, it has the same problem with mass assignment attacks. Take a look at the controller def create action, especially the first line after it.
RestfulAuthentication (or acts_as_authenticated for that matter) doesn't have a boolean attribute for activation, it uses the existence of activation_code to determine whether a user is activated or not. Since activation_code is generated in a before_create filter, it doesn't matter whether a malign user tries to set the code to nil in a form (I also don't know whether there's a way to explicitly set a field to NIL, other than leaving the field away, which obviously doesn't work in this case).
pznumof pqdoczne uxrnzmlv rfdewvm uewbsrg ipxw tikno
yhmxefag vwpgsm zjpfn zvncwpr dirph fkxdmrs nwfujehtl
Bon Dia!
Good site!
Good site!
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet
Thanks to Oprah, Obama camp claims biggest crowd yet