Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Apr 2016 13:42:37 -0400
From: Tute Costa <>
Subject: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5


`Administrate::ApplicationController` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.


The 0.1.5 release is available at and

Upgrade Process

Upgrade administrate version at least to 0.1.5.


You can reopen Administrate's `ApplicationController` to add CSRF
protection to your application:

module Administrate
  class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception

Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.