CSRF Vulnerability (CVE-2015-1585)

[Steve Kenworthy]

A Cross-Site Request Forgery (CSRF) vulnerability has been found and fixed in the most recent version of Fat Free CRM. You are strongly encouraged to update your installation.

Versions affected: all versions

Fixed version: v0.13.6 https://rubygems.org/gems/fat_free_crm/versions/0.13.6

Impact

CSRF token verification was found to be defective on requests submitted to a Fat Free CRM server. This led to Fat Free CRM being vulnerable to CSRF-type attacks.

What is CSRF?

Please see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Patches

For those needing to patch manually, please apply the following patch:

https://github.com/fatfreecrm/fat_free_crm/commit/86fd7f98c9583fd36384987282d1c086fdcecd7c

CVE

The following CVE reference has been assigned: CVE-2015-1585

Further reading

• What is CSRF - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
• How Rails handles CSRF - http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
• A helpful blog post detailing this particular type of issue -http://blog.nvisium.com/2014/09/understanding-protectfromforgery.html (The undisclosed app referenced in this post was not Fat Free CRM - as far as I know.)

Credits

Sven Schleier, KPMG Management Consulting, Singapore for reporting the issue via secu...@fatfreecrm.com

Responsible disclosure policy

Please report issues to secu...@fatfreecrm.com. We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.

Further details can be found here: https://github.com/fatfreecrm/fat_free_crm/wiki/Security