Bug 20765 - CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users Bypass Authentication
Summary: CVE-2009-2422 Ruby on Rails Bug in 'http_authentication.rb' Lets Remote Users...
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: ruby-actionpack (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Andrey Cherepanov
QA Contact: qa-sisyphus
URL: http://securitytracker.com/alerts/200...
Keywords: security
Depends on:
Blocks:
 
Reported: 2009-07-13 11:29 MSD by Vladimir Lettiev
Modified: 2009-10-13 14:09 MSD (History)
10 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-07-13 11:29:39 MSD
A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication.

A remote user can supply a specially crafted (invalid) username with no password to successfully authenticate and access a protected page. 

fixed in git: http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
Comment 1 Sir Raorn 2009-07-13 12:16:08 MSD
Версия в Сизифе (2.3.2.1) содержит этот коммит.
Comment 3 Sir Raorn 2009-07-13 12:34:27 MSD
Немного перепутал follows и preceedes.
Comment 4 Sir Raorn 2009-10-13 14:09:43 MSD
Тащемта, уже давно исправлено, например.