Date: Fri, 1 Apr 2016 13:42:37 -0400 From: Tute Costa <tute@...ughtbot.com> To: oss-security@...ts.openwall.com Subject: Cross-site request forgery (CSRF) vulnerability in administrate gem Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code. Versions Affected: 0.1.4 and below Fixed Versions: 0.1.5 Impact ------ `Administrate::ApplicationController` actions didn't have CSRF protection. Remote attackers can hijack user's sessions and use any functionality that administrate exposes on their behalf. Releases -------- The 0.1.5 release is available at https://rubygems.org/gems/administrate and https://github.com/thoughtbot/administrate. Upgrade Process --------------- Upgrade administrate version at least to 0.1.5. Workarounds ----------- You can reopen Administrate's `ApplicationController` to add CSRF protection to your application: ```ruby module Administrate class ApplicationController < ActionController::Base protect_from_forgery with: :exception end end ``` Credits ------- Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.