« DoS vulnerability in BigDecimal | Main | Hacking Ruby on Rails @ RailsWayCon09 »
Thursday
Jun042009

Vulnerability in Rails 2.3 HTTP Authentication

There has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>