Ruby on Rails 1.2.4

191 views

Skip to first unread message

Michael Koziarski

unread,

Oct 9, 2007, 9:33:45 PM10/9/07

to rubyonrail...@googlegroups.com

The release of Ruby on Rails 1.2.4 addresses some potential security
issues, all users of earlier versions are advised to upgrade to 1.2.4:

The particular issues are:

# Potential Information Disclosure or DoS with Hash#from_xml

Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network. 1.2.4
removes this functionality entirely.

# Session Fixation attacks.

The session functionality in rails allowed users to provide their
session_id in the URL as well as cookies. The functionality could be
exploited by a malicious user to obtain an authenticated session.

Users who rely on URL based sessions can re-enable them as follows:

config.action_controller.session_options[:session_secure] = true

--
Cheers

Koz

Michael Koziarski

unread,

Oct 12, 2007, 6:25:00 PM10/12/07

to rubyonrail...@googlegroups.com

The issues mentioned in this advisory now have CVE numbers.

> # Potential Information Disclosure or DoS with Hash#from_xml

CVE-2007-5379

> # Session Fixation attacks.

CVE-2007-5380

> config.action_controller.session_options[:session_secure] = true

This was a typo, to re-enable URL based sessions you need the
following line in your environment.rb file.

config.action_controller.session_options[:cookie_only] = false

--
Cheers

Koz

Reply all

Reply to author

Forward

0 new messages