Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Jan 2016 16:17:57 -0800
From: Reed Loden <>
	Assign a CVE Identifier <>
Subject: CVE request: Missing normalization in ruby gem rack-attack <4.3.1
 when used with ruby on rails

Saw this tweeted. No public security notification outside of the release
notes and a few tweets, it seems. :(

Rack::Attack <4.3.1 does not normalize paths before processing them,
meaning that if there is a throttle or block rule for /login, a malicious
user could use /login/ to bypass the check. This only affects Rails

More details:

Fixed by:

Related tweets:

This could almost be categorized as CWE-289 "Authentication Bypass by
Alternate Name", but it's not really authentication here. I couldn't find a
better CWE without getting too generic.

Needs a CVE assigned.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ