oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: Missing normalization in ruby gem rack-attack <4.3.1 when used with ruby on rails

From: Reed Loden <reed () reedloden com>
Date: Wed, 6 Jan 2016 16:17:57 -0800
Saw this tweeted. No public security notification outside of the release
notes and a few tweets, it seems. :(

Rack::Attack <4.3.1 does not normalize paths before processing them,
meaning that if there is a throttle or block rule for /login, a malicious
user could use /login/ to bypass the check. This only affects Rails
applications.

More details: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1

Fixed by:
https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977

Related tweets:

https://twitter.com/rorsecurity/status/678878091314335744
https://twitter.com/IncludeSecurity/status/677905982391984129

This could almost be categorized as CWE-289 "Authentication Bypass by
Alternate Name", but it's not really authentication here. I couldn't find a
better CWE without getting too generic.

Needs a CVE assigned.

~reed
Previous By Date Next
Previous By Thread Next

Current thread: