REDHAT-BUG-544329: CSRF
First published: Fri Dec 04 2009(Updated: )
A possibility to circumvent protection against cross-site request forgery (CSRF) attacks was found in Ruby on Rails. Quoting upstream security advisory for exact details: There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included ‘text/plain’ which can be generated by browsers. Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. References: ----------- <a href="http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html">http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html</a> <a href="http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1">http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1</a> Upstream patch: --------------- <a href="http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a">http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a</a> CVE Request: ------------ <a href="http://www.openwall.com/lists/oss-security/2009/11/28/1">http://www.openwall.com/lists/oss-security/2009/11/28/1</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby on Rails | >=2.1.0<=2.1.x |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- https://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request
- http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
- https://access.redhat.com/security/cve/CVE-2008-7248
- https://bugzilla.redhat.com/show_bug.cgi?id=544329
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-7248
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ruby on rails
- canonical/ruby on rails