oss-sec mailing list archives
Cross-site request forgery (CSRF) vulnerability in administrate gem
From: Tute Costa <tute () thoughtbot com>
Date: Fri, 1 Apr 2016 13:42:37 -0400
Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code. Versions Affected: 0.1.4 and below Fixed Versions: 0.1.5 Impact ------ `Administrate::ApplicationController` actions didn't have CSRF protection. Remote attackers can hijack user's sessions and use any functionality that administrate exposes on their behalf. Releases -------- The 0.1.5 release is available at https://rubygems.org/gems/administrate and https://github.com/thoughtbot/administrate. Upgrade Process --------------- Upgrade administrate version at least to 0.1.5. Workarounds ----------- You can reopen Administrate's `ApplicationController` to add CSRF protection to your application: ```ruby module Administrate class ApplicationController < ActionController::Base protect_from_forgery with: :exception end end ``` Credits ------- Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.
Current thread:
- Cross-site request forgery (CSRF) vulnerability in administrate gem Tute Costa (Apr 01)