Ruby On Rails Password Protection Can Be Nullified Due To Flawed Code

[Peaches]

Ruby On Rails password protection can be nullified due to flawed code

The Ruby on Rails developers have, in their blog, noted a security problem which can allow the circumvention of password protection of pages or content. This is related to the return value from the digest authentication code, authenticate_or_request_with_http_digest. This code should return true if the user is found and false if not. However the documentation was unclear, and it was possible for a developer to return nil from the method.

With a nil return, because the return value wasn't false, Rails would continue authenticating. This would allow an attacker to provide an invalid user name with no password to authenticate successfully. One example of flawed code is from the Rails documentation;

authenticate_or_request_with_http_digest(REALM) do |username|

USERS[username]

end

This code should instead be changed to return false if the user is not found,

authenticate_or_request_with_http_digest(REALM) do |username|

USERS[username] || false

end

Making this change will close the vulnerability without patching the code. A fix to Rails, which treats returning nil as an authentication failure, has been created and is available in Edge Rails and will appear in Ruby on Rails 2.3.3, due to be released in a few days.

See also:

Security Problem with authenticate_with_http_digest

Heise security - http://www.h-online.com/security/Ruby-On-R...e--/news/113465