|
Message-Id: <531C60E7-D4B1-464A-9FB7-0178CCD72380@matasano.com>
Date: Thu, 9 Oct 2014 14:14:39 -0500
From: Tomek Rabczak <tomek@...asano.com>
To: oss-security@...ts.openwall.com
Subject: Authentication Bypass in ROR Ecommerce
Hello all,
I’ve worked with David Henner, the Ruby on Rails Ecommerce owner to fix a security issue in the password reset functionality of the ROR Ecommerce application. When a user is created in the ROR Ecommerce application, a perishable_token is generated for that user. This perishable token is then used for password resets. Note that a password reset request never needs to be initiated as this token is immediately available.
Due to the way MySQL handles typecasting, it is possible to send a token value of the integer 0 which will then match the first perishable token in the database. The way the application is first initialized and setup, the administrative user is the first user to be created. This can be seen in the Getting Started section: https://github.com/drhenner/ror_ecommerce#getting-started. As a result, the integer 0 passed to the application will match the administrator’s account. The application then logs the matched user in and allows them to change the password.
This bug is the same as joernchen’s example in his MySQL madness and Rails post.
http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/
The fix is simple and can be found in this commit: https://github.com/drhenner/ror_ecommerce/commit/25fe5ebb2f193978e9f9967c9dfe6be5716e8650
Would it be possible to get a CVE assigned to this?
Thanks,
Tomek
Download attachment "signature.asc" of type "application/pgp-signature" (497 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.