Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALPTtNW1aQq5JkniYnFJzox6Pz_ygbWGmapEK0fXPN1SWGBFkw@mail.gmail.com>
Date: Wed, 6 Jan 2016 16:17:57 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Missing normalization in ruby gem rack-attack <4.3.1
 when used with ruby on rails

Saw this tweeted. No public security notification outside of the release
notes and a few tweets, it seems. :(

Rack::Attack <4.3.1 does not normalize paths before processing them,
meaning that if there is a throttle or block rule for /login, a malicious
user could use /login/ to bypass the check. This only affects Rails
applications.

More details: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1

Fixed by:
https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977

Related tweets:

https://twitter.com/rorsecurity/status/678878091314335744
https://twitter.com/IncludeSecurity/status/677905982391984129

This could almost be categorized as CWE-289 "Authentication Bypass by
Alternate Name", but it's not really authentication here. I couldn't find a
better CWE without getting too generic.

Needs a CVE assigned.

~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.