#20765 – CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication

Bug 20765 - CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication

Summary: CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users...

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	ruby-actionpack (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 normal
Assignee:	Andrey Cherepanov
QA Contact:	qa-sisyphus

URL:	http://securitytracker.com/alerts/200...
Keywords:	security

Depends on:
Blocks:

Reported:	2009-07-13 11:29 MSD by Vladimir Lettiev
Modified:	2009-10-13 14:09 MSD (History)
CC List:	10 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Lettiev 2009-07-13 11:29:39 MSD

A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication.

A remote user can supply a specially crafted (invalid) username with no password to successfully authenticate and access a protected page. 

fixed in git: http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489

Comment 1 Sir Raorn 2009-07-13 12:16:08 MSD

Версия в Сизифе (2.3.2.1) содержит этот коммит.

Comment 2 Vladimir Lettiev 2009-07-13 12:20:34 MSD

Я заглянул сюда и не увидел: http://git.altlinux.org/gears/r/ruby-rails.git?p=ruby-rails.git;a=blob;f=actionpack/lib/action_controller/http_authentication.rb;h=b6b5267c66f92c79bb4da58cb97dac7e84728a50;hb=d5dad091d19865be1e948a0b235c589ca801b1fc#l194

Comment 3 Sir Raorn 2009-07-13 12:34:27 MSD

Немного перепутал follows и preceedes.

Comment 4 Sir Raorn 2009-10-13 14:09:43 MSD

Тащемта, уже давно исправлено, например.