|Summary:||<dev-ruby/rails-2.3.4: authenticate_or_request_with_http_digest bypass (CVE-2009-2422)|
|Product:||Gentoo Security||Reporter:||Alex Legler (RETIRED) <a3li>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Alex Legler (RETIRED) 2009-07-02 19:21:14 UTC
A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately. The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false. If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed. Fixed in 2.3.3 or patch at http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
Comment 1 Alex Legler (RETIRED) 2009-07-10 16:35:56 UTC
CVE-2009-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2422): The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Comment 2 Alex Legler (RETIRED) 2009-09-14 10:00:44 UTC
This is fixed in >= rails 2.3.3. Stabling together with bug 283396.
Comment 4 Alex Legler (RETIRED) 2009-12-20 12:12:00 UTC