Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Feb 2013 10:23:28 -0800
From: Aaron Patterson <tenderlove@...y-lang.org>
To: rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com
Subject: Circumvention of attr_protected [CVE-2013-0276]

Circumvention of attr_protected

There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276.

Versions Affected:  All.
Not affected:       Applications using attr_accessible
Fixed Versions:     3.2.12, 3.1.11, 2.3.17

Impact 
------
The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to.  By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

All users running an affected release should either upgrade or use one of the work arounds immediately.  Users should also consider switching from attr_protected to the whitelist method attr_accessible which is not vulnerable to this attack.

Releases 
-------- 
The 3.2.12, 3.1.11, and 2.3.17 releases are available at the normal locations. 

Workarounds 
----------- 
The only feasible work around for this issue is to convert the application to use attr_accessible instead of attr_protected.

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-attr_protected.patch - Patch for 3.2 series 
* 3-1-attr_protected.patch - Patch for 3.1 series 
* 3-0-attr_protected.patch - Patch for 3.0 series
* 2-3-attr_protected.patch - Patch for 2.3 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits 
-------
Thanks to joernchen of Phenoelit and Ryan Koppenhaver of Matasano Security for reporting the vulnerability to us and working closely with us on a fix.

-- 
Aaron Patterson
http://tenderlovemaking.com/

View attachment "2-3-attr_protected.patch" of type "text/plain" (2730 bytes)

View attachment "3-0-attr_protected.patch" of type "text/plain" (1841 bytes)

View attachment "3-1-attr_protected.patch" of type "text/plain" (1805 bytes)

View attachment "3-2-attr_protected.patch" of type "text/plain" (1748 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.