oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Cross-site request forgery (CSRF) vulnerability in administrate gem

From: Tute Costa <tute () thoughtbot com>
Date: Fri, 1 Apr 2016 13:42:37 -0400
Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

`Administrate::ApplicationController` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's `ApplicationController` to add CSRF
protection to your application:

```ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
  end
end
```

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.
Previous By Date Next
Previous By Thread Next

Current thread: