Date: 26 November 2007
References: ESB-2007.0935
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2007.0112 AUSCERT Advisory
[Win][UNIX/Linux]
Session fixation vulnerability in Ruby on Rails
26 November 2007
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Ruby on Rails
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Inappropriate Access
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6077 CVE-2007-5380
Member content until: Monday, December 24 2007
Ref: ESB-2007.0935
OVERVIEW:
Due to an incomplete fix for CVE-2007-5380, CVE-2007-6077 has been
assigned to detail a session fixation vulnerability in Ruby on
Rails prior to 1.2.6.
IMPACT:
The National Vulnerability Database [1], gives the following
information regarding this vulnerability:
o CVE-2007-6077: "The session fixation protection mechanism in
cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes
the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS
constant, which effectively causes :cookie_only to only be applied
to the first instantiation of CgiRequest, which allows remote
attackers to conduct session fixation attacks." [2]
MITIGATION:
Ruby on Rails 1.2.6 has been released to resolve this vulnerability
[3] and is available for download from the vendors website. [4]
REFERENCES:
[1] National Vulnerability Database
http://nvd.nist.gov/
[2] National Vulnerability Database CVE-2007-6077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6077
[3] Riding Rails
http://weblog.rubyonrails.org/
[4] RubyForge: Rails: Project Filelist
http://rubyforge.org/frs/?group_id=307
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR0o/iih9+71yA2DNAQJISAP/QILZth9mrkWZSQWGetzt776aGtC8RhXh
7haLoHccmz03WHCTopphiODfi1aXwFbhcKCnz65RZFsmmBiS9rmIGaxlbt7paHeP
HKltRnD6ouxoOKOMJOgQILF3nCubm/AjkSncJy0xxjp1bCtrdoj56YT0y7/wNvKJ
9ddOxm97lqM=
=DLox
-----END PGP SIGNATURE-----
|