Authentication Bypass in ROR Ecommerce

[Tomek Rabczak <tomek () matasano com>]

Hello all,

I’ve worked with David Henner, the Ruby on Rails Ecommerce owner to fix a security issue in the password reset 
functionality of the ROR Ecommerce application. When a user is created in the ROR Ecommerce application, a 
perishable_token is generated for that user. This perishable token is then used for password resets. Note that a 
password reset request never needs to be initiated as this token is immediately available.

Due to the way MySQL handles typecasting, it is possible to send a token value of the integer 0 which will then match 
the first perishable token in the database. The way the application is first initialized and setup, the administrative 
user is the first user to be created. This can be seen in the Getting Started section: 
https://github.com/drhenner/ror_ecommerce#getting-started. As a result, the integer 0 passed to the application will 
match the administrator’s account. The application then logs the matched user in and allows them to change the password.


This bug is the same as joernchen’s example in his MySQL madness and Rails post.

http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/

The fix is simple and can be found in this commit: 
https://github.com/drhenner/ror_ecommerce/commit/25fe5ebb2f193978e9f9967c9dfe6be5716e8650

Would it be possible to get a CVE assigned to this?

Thanks,
Tomek

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail