Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276279 (CVE-2009-2422)

Summary: <dev-ruby/rails-2.3.4: authenticate_or_request_with_http_digest bypass (CVE-2009-2422)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-02 19:21:14 UTC
A security problem has been reported with the digest authentication
code in Ruby on Rails. This vulnerability can allow users to bypass
your password protection. This vulnerability has been publicly
disclosed on several websites, users are advised to take the
mitigating steps described below immediately.

The issue comes from the handling of the block passed to
authenticate_or_request_with_http_digest. This block must return the
user’s password in the clear, or a sha1 hash of the user’s password.
Unfortunately the documentation was unclear on this and the examples
cited would return nil if the user was not found. The correct
behaviour if the user doesn’t exist is to return false.

If the return value was nil, rails proceeded to verify this value
against the provided password. Because of this an attacker can provide
an invalid username and no password and authentication will succeed.

Fixed in 2.3.3 or patch at http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 16:35:56 UTC
CVE-2009-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2422):
  The example code for the digest authentication functionality
  (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an
  authenticate_or_request_with_http_digest block that returns nil
  instead of false when the user does not exist, which allows
  context-dependent attackers to bypass authentication for applications
  that are derived from this example by sending an invalid username
  without a password.

Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 10:00:44 UTC
This is fixed in >= rails 2.3.3. Stabling together with bug 283396.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-18 17:50:24 UTC
GLSA together with bug 237385.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:12:00 UTC
GLSA 200912-02