Date: Wed, 6 Jan 2016 16:17:57 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Missing normalization in ruby gem rack-attack <4.3.1 when used with ruby on rails Saw this tweeted. No public security notification outside of the release notes and a few tweets, it seems. :( Rack::Attack <4.3.1 does not normalize paths before processing them, meaning that if there is a throttle or block rule for /login, a malicious user could use /login/ to bypass the check. This only affects Rails applications. More details: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 Fixed by: https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 Related tweets: https://twitter.com/rorsecurity/status/678878091314335744 https://twitter.com/IncludeSecurity/status/677905982391984129 This could almost be categorized as CWE-289 "Authentication Bypass by Alternate Name", but it's not really authentication here. I couldn't find a better CWE without getting too generic. Needs a CVE assigned. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.