Bug 20765

Summary:	CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication
Product:	Sisyphus	Reporter:	Vladimir Lettiev <crux>
Component:	ruby-actionpack	Assignee:	Andrey Cherepanov <cas>
Status:	CLOSED FIXED	QA Contact:	qa-sisyphus
Severity:	normal
Priority:	P3	CC:	cas, imz, led, majioa, mike, nbr, rider, stalker, stanv, timonbl4
Version:	unstable	Keywords:	security
Hardware:	all
OS:	Linux
URL:	http://securitytracker.com/alerts/2009/Jul/1022517.html

Description Vladimir Lettiev 2009-07-13 11:29:39 MSD

A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication.

A remote user can supply a specially crafted (invalid) username with no password to successfully authenticate and access a protected page. 

fixed in git: http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489

Comment 1 Sir Raorn 2009-07-13 12:16:08 MSD

Версия в Сизифе (2.3.2.1) содержит этот коммит.

Comment 2 Vladimir Lettiev 2009-07-13 12:20:34 MSD

Я заглянул сюда и не увидел: http://git.altlinux.org/gears/r/ruby-rails.git?p=ruby-rails.git;a=blob;f=actionpack/lib/action_controller/http_authentication.rb;h=b6b5267c66f92c79bb4da58cb97dac7e84728a50;hb=d5dad091d19865be1e948a0b235c589ca801b1fc#l194

Comment 3 Sir Raorn 2009-07-13 12:34:27 MSD

Немного перепутал follows и preceedes.

Comment 4 Sir Raorn 2009-10-13 14:09:43 MSD

Тащемта, уже давно исправлено, например.