« SSL and Rails | Main | MIME sniffing countermeasures »
Saturday
Feb282009

XSS and CSRF Vulnerabilities in the in_place_editing plugin

DateSaturday, February 28, 2009 at 10:47AM

The Ruby on Rails Weblog reports two vulnerabilities in the in_place_editing plugin:

  • The actions generated by in_place_edit_for perform no verification of the request method, allowing a hostile website to bypass built in CSRF protection.
  • The the input controls generated by in_place_editor_field perform no output sanitization, leaving the application vulnerable to XSS attacks.

Users of this plugin are advised to update the plugin from git://github.com/rails/in_place_editing.git . The original post provides a zip file and a patch if you're unable to use git.

AuthorHeiko | CommentPost a Comment |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.