Top
Welcome

The Ruby on Rails Security Project wants to make Rails (applications) more secure. Heiko Webers of bauland42 writes blog posts about Rails and security related topics and carries out security audits for your web applications. We have a free book for you, too. Contact Heiko at 42 -the AT sign- bauland42.de.

Search

Feeds / Syndication
Most Popular
« DoS vulnerability in BigDecimal | Main | Hacking Ruby on Rails @ RailsWayCon09 »
Thursday
04Jun2009

Vulnerability in Rails 2.3 HTTP Authentication

DateThursday, June 4, 2009 at 2:57PM

There has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.

AuthorHeiko | CommentPost a Comment |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>