In association with heise online

05 June 2009, 14:24

Ruby On Rails password protection can be nullified due to flawed code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Ruby on Rails developers have, in their blog, noted a security problem which can allow the circumvention of password protection of pages or content. This is related to the return value from the digest authentication code, authenticate_or_request_with_http_digest. This code should return true if the user is found and false if not. However the documentation was unclear, and it was possible for a developer to return nil from the method.

With a nil return, because the return value wasn't false, Rails would continue authenticating. This would allow an attacker to provide an invalid user name with no password to authenticate successfully. One example of flawed code is from the Rails documentation;

authenticate_or_request_with_http_digest(REALM) do |username|

This code should instead be changed to return false if the user is not found,

authenticate_or_request_with_http_digest(REALM) do |username|
USERS[username] || false

Making this change will close the vulnerability without patching the code. A fix to Rails, which treats returning nil as an authentication failure, has been created and is available in Edge Rails and will appear in Ruby on Rails 2.3.3, due to be released in a few days.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit