|Summary:||<dev-ruby/rails-2.2.2: Potential Circumvention of CSRF Protection (CVE-2008-7248)|
|Product:||Gentoo Security||Reporter:||Hans de Graaff <graaff>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Hans de Graaff 2008-11-19 08:54:48 UTC
There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included 'text/plain' which can be generated by browsers. Impact ====== Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. Affected Versions ====== * All releases in the 2.1 series * All 2.2 Pre Releases Fixes ====== * 2.1.3 and 2.2.2 will contain a fix for this issue. Interim Workarounds ====== Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/ Mime::Type.unverifiable_types.delete(:text) Users of Edge Rails after 2.2.1, should upgrade to the latest code in 2-2-stable. The patch for the 2.1.x series is available at: http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a This will also apply cleanly to 2.2 pre-releases prior to the following changeset: commit f1ad8b48aae3ee26613b3e77bc0056e120096846 Author: Michael Koziarski <email@example.com> Date: Thu Nov 13 11:19:53 2008 +0100 Users with edge-rails checkouts after that date, are advised to upgrade to the latest code in 2-2-stable.
Comment 1 Hans de Graaff 2008-11-19 08:57:04 UTC
Not that Rails 2.2. which is also mentioned in the bug report, is not in the tree yet, we'll wait until the fixed 2.2.2 release has come out. My proposal for Rails 2.1.3 is to wait until that version is out, unless this will take too long. It is not clear to me at this point if Rails 1.2.6 and Rails 2.0.5 (which we have in the tree) are also affected.
Comment 2 Azamat H. Hackimov 2008-11-26 16:55:15 UTC
rails-2.2.2 released - see #248915
Comment 3 Pierre-Yves Rofes (RETIRED) 2009-03-11 18:54:49 UTC
Well, rails-2.2.2 is now stable, so time for GLSA decision. I vote NO.
Comment 4 Alex Legler (RETIRED) 2009-03-11 19:00:57 UTC
Comment 5 Pierre-Yves Rofes (RETIRED) 2009-03-11 19:07:48 UTC
mmh, actually we'll have a GLSA combined with #237385
Comment 6 Alex Legler (RETIRED) 2009-03-14 15:41:06 UTC
I revbumped the 2.1 slot to fix this, as there is no 2.1.3 release in sight. Arches, please be so kind and mark dev-ruby/actionpack-2.1.2-r1 stable.
Comment 7 Brent Baude (RETIRED) 2009-03-15 12:50:33 UTC
Comment 8 Markus Meier 2009-03-15 15:06:47 UTC
Comment 9 Brent Baude (RETIRED) 2009-03-18 22:29:01 UTC
Comment 10 Raúl Porcel (RETIRED) 2009-03-25 14:55:31 UTC
Comment 11 Stefan Behte (RETIRED) 2009-12-18 01:29:20 UTC
CVE-2008-7248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7248): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Comment 12 Alex Legler (RETIRED) 2009-12-20 12:11:57 UTC