Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Jan 2016 16:17:57 -0800
From: Reed Loden <>
	Assign a CVE Identifier <>
Subject: CVE request: Missing normalization in ruby gem rack-attack <4.3.1
 when used with ruby on rails

Saw this tweeted. No public security notification outside of the release
notes and a few tweets, it seems. :(

Rack::Attack <4.3.1 does not normalize paths before processing them,
meaning that if there is a throttle or block rule for /login, a malicious
user could use /login/ to bypass the check. This only affects Rails

More details:

Fixed by:

Related tweets:

This could almost be categorized as CWE-289 "Authentication Bypass by
Alternate Name", but it's not really authentication here. I couldn't find a
better CWE without getting too generic.

Needs a CVE assigned.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.