Date: Fri, 1 Apr 2016 13:42:37 -0400 From: Tute Costa <tute@...ughtbot.com> To: oss-security@...ts.openwall.com Subject: Cross-site request forgery (CSRF) vulnerability in administrate gem Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code. Versions Affected: 0.1.4 and below Fixed Versions: 0.1.5 Impact ------ `Administrate::ApplicationController` actions didn't have CSRF protection. Remote attackers can hijack user's sessions and use any functionality that administrate exposes on their behalf. Releases -------- The 0.1.5 release is available at https://rubygems.org/gems/administrate and https://github.com/thoughtbot/administrate. Upgrade Process --------------- Upgrade administrate version at least to 0.1.5. Workarounds ----------- You can reopen Administrate's `ApplicationController` to add CSRF protection to your application: ```ruby module Administrate class ApplicationController < ActionController::Base protect_from_forgery with: :exception end end ``` Credits ------- Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ