Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Apr 2016 13:42:37 -0400
From: Tute Costa <tute@...ughtbot.com>
To: oss-security@...ts.openwall.com
Subject: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

`Administrate::ApplicationController` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's `ApplicationController` to add CSRF
protection to your application:

```ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
  end
end
```

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ