Bug 509564 - (CVE-2009-2422) CVE-2009-2422 rubygem-actionpack: authenticate_with_http_digest authentication bypass
CVE-2009-2422 rubygem-actionpack: authenticate_with_http_digest authenticatio...
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 542055
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-03 10:59 EDT by Tomas Hoger
Modified: 2010-12-20 17:28 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-20 17:28:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-07-03 10:59:45 EDT
A flaw was found in HTTP digest authentication code in Ruby on Rails.  This could allow remote attackers to bypass authentication by providing non-existent user name and nil / empty password.

Detailed description, also with workaround:
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s

Upstream patch:
http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489

Support for HTTP digest authentication was only introduced in version 2.3, so only F11/Rawhide should be affected by this problem.  Older version 2.1.1 currently in F9, F10 and EPEL5 does not contain affected code.
Comment 1 Tomas Hoger 2009-07-10 11:21:12 EDT
CVE-2009-2422:
The example code for the digest authentication functionality
(http_authentication.rb) in Ruby on Rails before 2.3.3 defines an
authenticate_or_request_with_http_digest block that returns nil
instead of false when the user does not exist, which allows
context-dependent attackers to bypass authentication for applications
that are derived from this example by sending an invalid username
without a password.
Comment 2 Vincent Danen 2009-11-27 22:42:37 EST
Fedora 12 currently contains 2.3.4, so this only affects Fedora 11 still.
Comment 4 Rakesh Pandit 2010-05-29 04:32:21 EDT
If this effects only F11, please consider to close it as it is already EOL ?

Note You need to log in before you can comment on or make changes to this bug.