Date: Wed, 6 Jan 2016 16:17:57 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Missing normalization in ruby gem rack-attack <4.3.1 when used with ruby on rails Saw this tweeted. No public security notification outside of the release notes and a few tweets, it seems. :( Rack::Attack <4.3.1 does not normalize paths before processing them, meaning that if there is a throttle or block rule for /login, a malicious user could use /login/ to bypass the check. This only affects Rails applications. More details: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 Fixed by: https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 Related tweets: https://twitter.com/rorsecurity/status/678878091314335744 https://twitter.com/IncludeSecurity/status/677905982391984129 This could almost be categorized as CWE-289 "Authentication Bypass by Alternate Name", but it's not really authentication here. I couldn't find a better CWE without getting too generic. Needs a CVE assigned. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ