CVE-2008-7248: Input Validation
First published: Tue Nov 18 2008(Updated: )
A possibility to circumvent protection against cross-site request forgery (CSRF) attacks was found in Ruby on Rails. Quoting upstream security advisory for exact details: There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included ‘text/plain’ which can be generated by browsers. Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. References: ----------- <a href="http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html">http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html</a> <a href="http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1">http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1</a> Upstream patch: --------------- <a href="http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a">http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a</a> CVE Request: ------------ <a href="http://www.openwall.com/lists/oss-security/2009/11/28/1">http://www.openwall.com/lists/oss-security/2009/11/28/1</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rubyonrails Rails | =2.1.0 | |
| Rubyonrails Rails | =2.1.1 | |
| Rubyonrails Rails | =2.1.2 | |
| Rubyonrails Rails | =2.2.0 | |
| Rubyonrails Rails | =2.2.1 | |
| rubygems/actionpack | >=2.2.0<2.2.2 | 2.2.2 |
| rubygems/actionpack | >=2.1.0<2.1.3 | 2.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://access.redhat.com/security/cve/CVE-2008-7248
- https://bugzilla.redhat.com/show_bug.cgi?id=544329
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- https://www.openwall.com/lists/oss-security/2009/11/28/1
- https://www.openwall.com/lists/oss-security/2009/12/02/2
- https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- http://www.openwall.com/lists/oss-security/2009/12/02/2
- https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
- https://github.com/advisories/GHSA-8fqx-7pv4-3jwm (Advisory)
- http://secunia.com/advisories/36600
- http://secunia.com/advisories/38915
- http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- http://www.vupen.com/english/advisories/2009/2544
- http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request
- http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
- https://www.cve.org/CVERecord?id=CVE-2008-7248 https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
- collector/nvd-historical
- collector/github-advisory-latest
- alias/GHSA-8fqx-7pv4-3jwm
- alias/CVE-2008-7248
- collector/github-advisory
- collector/nvd-cve
- collector/nvd-index
- agent/weakness
- agent/author
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-cve
- source/Red Hat
- collector/redhat-bugzilla
- agent/tags
- agent/severity
- agent/references
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/rubyonrails
- canonical/rubyonrails rails
- version/rubyonrails rails/2.1.0
- version/rubyonrails rails/2.1.1
- version/rubyonrails rails/2.1.2
- version/rubyonrails rails/2.2.0
- version/rubyonrails rails/2.2.1
- package-manager/rubygems